How To Configure Service Credentials (Push Auth, Docker) in Backstage
This guide describes how to set up service credentials in Backstage to enable Push Authentication for AM and to pull customer-only Docker images by ForgeRock
Service Credential Types
Service Credentials in Backstage are API keys for different cloud based services. Currently, there are 2 credential types:
-
AWS (Push Auth) — This credential type corresponds to an Amazon Web Services API key. It is used for accessing Amazon’s Simple Notification Service which powers the Push Auth mechanism in Ping Access Management.
-
GCP (Docker) — This credential type corresponds to a Google Cloud Platform Service Account Key which can be used to pull images for Ping’s Docker image registry hosted on in GCP (gcr.io). Certain images hosted by ForgeRock require customers to authenticate with a key.
If your subscription includes Push Auth or products that require authorized Docker access, these options will be enabled in the Service Credentials area on the Subscription Settings page in Backstage at Account > Subscriptions > (Subscription) > Service Credentials.
Create an AWS (Push Auth) Credential
If your subscription includes Push Authentication for Ping Access Management, you can create AWS credentials in Backstage.
-
Navigate to Account > Subscriptions
-
Find your subscription on the list and click Details.
-
Select the Service Credentials tab.
-
Click Create on the Push Authentication card.
-
Select the mobile application that you want to create a credential for. Currently, the ForgeRock app and PingID app are supported (PingID should be preferred for use with newer versions of PingAM).
-
Enter a description in the dialog.
-
Click Create.
-
A key will be created in AWS. The details will be shown displayed the dialog:
-
Click Download as JSON to download these details in JSON format for your records. This information is also stored in Backstage, except for the secret.
The secret is not stored in Backstage. Make sure to save it, otherwise you won’t be able to retrieve it again. If you lost your secret, you will have to create a new credential to replace it.
You can now use these details to configure ForgeRock Access Management, as described in the documentation:
Create a GCP (Docker) Credential
If your subscription includes a product that can be downloaded as a Docker image and requires authentication (e.g. Autonomous Identity and Access), you can create GCP Service Account Keys to authenticate with Docker.
-
Navigate to Account > Subscriptions
-
Find your subscription on the list and click Details.
-
Select the Service Credentials tab.
-
Click Create on the Docker card..
-
Enter a description in the dialog.
-
Click Create.
-
A key will be created in GCP. The details will be shown displayed the dialog:
-
Click Download JSON key to download the key file.
The key is not stored in Backstage. Make sure to save it, otherwise you won’t be able to retrieve it again. If you lost your secret, you will have to create a new credential to replace it.
You can now use the JSON key to configure your Docker client, e.g. use gcloud (the GCP command line tools) to activate the service account and then to configure Docker: