A Scripted Approach for Creating and Using Service Accounts in ForgeRock Identity Cloud

By Darinder Shokar
Originally posted on https://medium.com/@darinder.shokar


In this blog I’ll present a scripted approach for Service Account creation and use in ForgeRock Identity Cloud. However, before I do let’s discuss a little context for the why and how:

Many customers want to manage the configuration they apply to ForgeRock Identity Cloud as code from a central repository and push via a CI/CD pipeline. This approach has multiple benefits:

  • Single repository to manage — Configuration is typically stored in a single central repository which eases management for config additions, modifies, deletes and long term maintenance.
  • Standardised configuration — As all config is central, it is far easier to define and enforce standards for code, testing, etc.
  • Traceability — Customers need to adapt to an ever changing landscape often, which means they need the agility to apply new or change existing configuration often. This introduces risk. A single repo for config, which is standardised and tested enables rapid for issue identification, isolation and remediation, thus greatly reducing both the likelihood and impact of config change going wrong.

The enabler for this approach and methodology in ForgeRock Identity Cloud is Service Accounts.

This a new feature to pragmatically request scoped access tokens to call API endpoints without relying on a human user identity in the system. Token generation is based on standards; in this case the OAuth2 JWT_Bearer standard and scopes ensure only the necessary permissions are assigned to each access token.

To get a more detailed background of Service Accounts in ForgeRock Identity Cloud, check out this link.

Scripted Approach

Now we have an understanding of Service Accounts lets dive into how to create a service account, use it to generate a tightly scoped access token and then use this access token to call ForgeRock Identity Cloud APIs — all via a single script!

The script is located on Github here.

In order to execute and for segregation of duties reasons the script must be executed with a Tenant Admin user’s access token. For example:

./service_accounts.sh eyJ0eXAiOiJKV...

To acquire this Tenant Admin access token, the easiest way is to inspect the browser Developer Tools on login to ForgeRock Identity Cloud as a Tenant Admin and look for the Authorization: Bearer header in the Network Request calls and copy the JWT token to somewhere safe.

The output from executing the script with a valid tenant admin access token will look like this:

Script Breakdown

Here’s a breakdown of the various functions:

Checks — The script requires openSSL, jq and jose installed on the target system. The opensslCheck, jqCheck and joseCheck functions verify presence and exit if not found. Ensure they tools are deployed before executing the script.

createServiceAccount — This function creates a Service Account in a ForgeRock Identity Cloud tenant. It creates an RSA256 Private Key JWK using the jose tool on disk, provisions a service account in ForgeRock Identity Cloud called my_service_account with fr:am:* fr:idm:* fr:idc:esv:* scopes defined using this JWK and on success stores the immutable _id value of the account to a file on disk for later use.

Note: Be sure to re-use a Service Account rather than creating a new one on every execution of the script by commenting out the createServiceAccount function on line 144 after the first run.

After execution, from the ForgeRock Platform Admin UI > Top right drop down > Tenant settings > Service Accounts, you’ll see our new Service Account listed:

getAccessToken — This function checks the Service Account _id (account_id.txt) and private key JWK (<tenant>.jwk) files are present on disk before acquiring an access token scoped to fr:am:* fr:idm:* fr:idc:esv:* by executing the OAuth2 JWT_Bearer flow.

callIDM — This function calls an IDM endpoint to retrieve a single user via the Service Account access token to demonstrate usage.

callAM — This function calls an AM endpoint to retrieve the configuration for the AM validation service to demonstrate usage.


So there you have it, a scripted approach to create and use Service Accounts in ForgeRock Identity Cloud to power managing configuration as code for CI/CD pipelines.

The great thing about ForgeRock Identity Cloud is it is constantly evolving to add cool new features and capabilities with zero downtime or engineering effort from the customer. They log out on Monday and login on Monday and suddently there’s this cool new thing to play with :)

Look out for more blogs on the latest and greatest coming soon and thanks for reading!

More from Darinder Shokar