I'm looking for advice on IAM solutions for managing our service accounts across multiple clouds, specifically AWS, Azure, and GCP. We have over 2000 service accounts with a mix of IAM roles, service principals, and workload identities, as well as Kubernetes clusters that utilize pod identities. Unfortunately, we don't have a centralized inventory or a rotation policy in place.
Our requirements include automated discovery of machine identities, credential rotation without any downtime for applications, least privilege recommendations based on actual usage, and integration with our existing CI/CD processes like Jenkins and GitHub Actions. Ideally, we want an API-first architecture.
We've taken a look at a few options. CyberArk seems powerful but might be overkill and too expensive for what we need. HashiCorp Vault looks promising but would require significant operational overhead. Using AWS Secrets Manager in conjunction with Azure Key Vault is an option, but it doesn't feel unified across our environments.
Crucially, we want to avoid agent-based solutions and don't want to implement any changes to our application code. Additionally, anything that takes six months to implement isn't feasible for our timeline. What are other enterprises using for machine identity lifecycle management at scale? We're specifically not looking for PAM solutions for human users.
4 Answers
Have you looked into Keycloak? It might be worth checking out for your needs!
You might want to standardize on one source of truth for user accounts and utilize OIDC to connect the clouds. This method worked well for us between Google and AWS, but I see your setup is a bit more intricate.
Have you considered using workload identity and federation for cross-cloud interactions? We successfully used these methods while migrating our cloud environments. It allowed us to maintain backward compatibility and easily call resources in previous setups without relying on static credentials. Basically, it helps avoid the hassle of managing long-lived keys!
Many enterprises are opting for federated workload identities like AWS IRSA, Azure Workload Identity, and GCP WIF to eliminate long-lived secrets. Coupling that with a central governance layer that is API-friendly could help you streamline machine identity management. If you’re looking for something simpler and faster to deploy, check out some Lightweight PAM solutions for centralized credential vaulting and policy-based rotation. Just make sure to validate that they don’t require code changes and adhere to downtime-free practices!
Absolutely! The key part is discovering what accounts and permissions are in play. Without a proper audit of what exists and its actual usage, you're just federating chaos.