Authenticate using a service account
Service accounts allow the CyberArk Code Sign Client to authenticate as a machine identity rather than a user. This is the recommended approach for automated signing environments such as CI/CD pipelines or build servers.
Because the service account setup requires interaction with the CyberArk Certificate Manager – SaaS UI, the full procedure is documented in the main product documentation.
For the complete end-to-end process, see the service account authentication tutorial.
Before you begin
- An administrator has created a service account for Code Sign Manager
- You are a member of the service account’s Owning Team
- The service account is assigned as an Authorized Signer on at least one Project
- The Code Sign Client is installed on the signing machine
How service account authentication works
Here is a high-level view of the workflow, regardless of platform:
- An administrator configures the Project, Signing Key, Team, and service account.
- The Code Sign Client generates a key pair on the signing machine.
- You paste the public key into the service account configuration in Certificate Manager – SaaS.
- Certificate Manager – SaaS issues a Client ID for the service account.
- You provide this Client ID to the Code Sign Client.
- The client authenticates using the Client ID and the locally stored private key.
After these steps, the Code Sign Client is authenticated as the service account.
Authenticate the service account
The detailed configuration steps are provided in the main documentation, as they require UI interaction. See Using a service account for complete setup and authentication instructions.
Once the UI configuration is finished, the Code Sign Client can authenticate and begin syncing Signing Keys.
What's next
After authenticating using a service account, you can:
- List available Signing Keys with
pkcs11config list - Perform a test signing
- Integrate with signing applications