I recently discovered a huge number of active service accounts—600 to be exact! A worrying half of them have keys that are older than two years, and we're unsure which pipelines or bots still use them. We rotate these keys manually, but only when we remember, and revocation can take days. I've noticed that non-human identities now outnumber human ones in many companies. I've seen that some successful teams use a central identity platform for managing these accounts, which issues short-lived certificates, enforces just-in-time access, and provides real-time tracking. I'm looking for details from teams that manage service accounts effectively: What platform do you use? How many non-human identities do you currently manage? What's the average credential lifetime, and what's your monthly cost per identity? This information will help determine our project's budget for the next quarter. Thanks for your insights!
4 Answers
I generally avoid using keys unless it’s absolutely necessary, which is becoming rare. I prefer using federated credentials for everything. If keys are needed, I automate the rotation so I don’t have to worry about it anymore.
Hashicorp Vault is a solid option. They have a dedicated sales team that can help answer your inquiries if you reach out to them.
That might work for on-prem setups, but cloud providers usually have built-in services that handle this without the extra costs and maintenance.
We use Entra AD with Just-In-Time Privileged Identity Management for users, and service accounts use elevated built-in permission groups. Check out this link for more details: https://learn.microsoft.com/en-us/entra/architecture/secure-service-accounts
This issue is more about process than technology. Just relying on memory isn't sustainable. Try creating a shared spreadsheet listing every service account, who owns it, and when the credentials were last updated. Set up a monthly task to rotate expired credentials—that should be manageable and it gives you a solid control for audits. For automation, you could use Hashicorp Vault or look into the secret services offered by big Cloud providers.
OIDC all the way!