Skip to content

Creating service accounts dynamically

In automated systems, such as CI/CD pipelines, you may need to generate service accounts dynamically for the Venafi Kubernetes Agent deployed on your Kubernetes cluster.

To do this, you must first create a master service account with the svcaccount-write scope using the Venafi CLI tool. A master service account enables API clients and the Venafi CLI tool to then create other service accounts with different scopes as required.

Follow the steps below to create a master service account, and then use it to create another service account dynamically.

Step 1: Create a master service account with the svcaccount-write scope

  1. If you haven't done so yet, download and install the Venafi CLI tool.

  2. Use the following command to create a master service account and store the service account credentials in a master-sa.json file.

    venctl iam service-account custom-integration create --api-key XYZ --name "my-master-sa" --scopes svcaccount-write --output-file master-sa.json

    Info

    For instructions on how to get hold of your API key, see Obtaining your API key.

Step 2: Use the master service account to create other service accounts

Once you have a master service account created using the method shown above, you can then create other accounts by passing the master service account credentials to the --auth.key-file flag in the relevant Venafi CLI tool venctl iam service-account create command, as in the following example:

venctl iam service-account agent create --name "my-agent-sa" --output secret --output-file agent-credentials.json --owning-team XYZ --auth.key-file master-sa.json

Info

For more information on Venafi CLI tool service account commands, see service account commands.