The DfE technical guidance and its content is intended for internal use by the DfE community.

Service accounts

Service accounts are user accounts on various systems like Github, Azure usually required by automation. They are not related to a human user to avoid the risk of stopping the automation when the user is offboarded. This requires shared credentials so care should be taken to be able to share them in a secure way.

• For non email based credentials like Azure service principals, add the keys to the production keyvault protected by PIM.
• For email based credentials like Azure, Github, Dockerhub, a useful pattern is to use a shared email. It provides a unique email address used to register the account agains the system. The human owners of the service accounts are made members of the shared email and are able to reset the password. See below.

Shared email

Outlook distribution list

This creates a new email address and when emails are sent to it, the members of the distribution list receive them in their own inbox. To create it, use the Distribution Lists service now form.

Outlook shared mailbox

This creates a mailbox that can be shared with multiple users. It is displayed separately in Outlook and emails are stored there. Create a shared mailbox using the service portal form.

Github account

Request a new user from Digital tools.

2-factor authentication is mandated, it should be registered on a civil servant device. Recovery codes are generated and may be used by other developers to login.

A Personal Access Token (PAT) can then be generated and used in automation.

Password, recovery codes and PATs should be kept in your production Azure key vault.

DockerHub account

Request a new user from Digital tools.

The password should be kept in your production Azure key vault.

Azure service principal

See instructions in CIP to create the service principal and how to use it.