Service accounts
Service accounts are user accounts on various systems like Github, Azure usually required by automation. They are not related to a human user to avoid the risk of stopping the automation when the user is offboarded. This requires shared credentials so care should be taken to be able to share them in a secure way.
- For non email based credentials like Azure service principals, add the keys to the production keyvault protected by PIM.
- For email based credentials like Azure, Github, Dockerhub, a useful pattern is to use a shared email. It provides a unique email address used to register the account agains the system. The human owners of the service accounts are made members of the shared email and are able to reset the password. See below.
Shared email
Outlook distribution list
This creates a new email address and when emails are sent to it, the members of the distribution list receive them in their own inbox. To create it, use the Distribution Lists service now form.
Outlook shared mailbox
This creates a mailbox that can be shared with multiple users. It is displayed separately in Outlook and emails are stored there. Create a shared mailbox using the service now form.
Github account
Request a new user from Digital tools.
2-factor authentication is mandated, it should be registered on a civil servant device. Recovery codes are generated and may be used by other developers to login.
A Personal Access Token (PAT) can then be generated and used in automation.
Password, recovery codes and PATs should be kept in your production Azure key vault.
DockerHub account
Request a new user from Digital tools.
The password should be kept in your production Azure key vault.
Azure service principal
See instructions in CIP to create the service principal and how to use it.