Creating service accounts dynamically¶
In automated systems, such as CI/CD pipelines, you may need to generate service accounts dynamically for the Discovery Agent deployed on your Kubernetes cluster.
To do this, you must first create a master service account with the svcaccount-write scope using the CLI tool for CyberArk Certificate Manager. A master service account enables API clients and the CLI tool for CyberArk Certificate Manager to then create other service accounts with different scopes as required.
Follow the steps below to create a master service account, and then use it to create another service account dynamically.
Step 1: Create a master service account with the svcaccount-write scope¶
- If you haven't done so yet, download and install the CLI tool for CyberArk Certificate Manager.
-
Use the following command to create a master service account and store the service account credentials in a
master-sa.jsonfile.venctl iam service-account custom-integration create --api-key XYZ --name "my-master-sa" --scopes svcaccount-write --output-file master-sa.jsonInfo
For instructions on how to get hold of your API key, see Obtaining your API key.
Step 2: Use the master service account to create other service accounts¶
Once you have a master service account created using the method shown above, you can then create other accounts by passing the master service account credentials to the --auth.key-file flag in the relevant CLI tool for CyberArk Certificate Manager venctl iam service-account create command, as in the following example:
venctl iam service-account agent create --name "my-agent-sa" --output secret --output-file agent-credentials.json --owning-team XYZ --auth.key-file master-sa.json
Extend the life of a service account¶
If you have a service account that has expired, or is about to expire, you can extend its lifespan. In order for a service account to be updated, it must have been created by a master account (see the section above).
Note
There can be only one "parent" for each service account, and one master service account cannot become the parent of a child service account it did not create. If the master service account isn't the "parent", you will see the following error message:
WRN The provided parent service account may not be the parent of the child service account. updatedBy may not reflect actual ownership; operation will proceed but may fail.
There are two ways to do this: using a JSON file that contains the client_id and private_key fields, or by using a PEM-encoded private key file.
Once you have a master service account created, you can then extend the lifespan of its pre-existing child service accounts by passing the master service account credentials to the --auth.key-file flag in the relevant venctl iam service-accounts update command and adding the --validity flag, as in the following examples:
venctl iam service-accounts update SERVICE_ACCOUNT_ID \
--auth.key-file agent-credentials.json \
--validity 365
Sample JSON file:
{
"client_id": "MASTER_SERVICE_ACCOUNT_ID",
"private_key": "-----BEGIN PRIVATE KEY-----\n< some private key string >\n-----END PRIVATE KEY-----\n"
}
Alternatively, you can also use a private key file:
venctl iam service-accounts update SERVICE_ACCOUNT_ID \
--auth.key-file master.key \
--auth.client-id MASTER_SERVICE_ACCOUNT_ID \
--validity 365
Info
For more information on CLI tool for CyberArk Certificate Manager service account commands, see service account commands.