Machine Identity

Secure authentication and authorization for automated systems, services, and applications in enterprise environments.

Service Accounts

Dedicated accounts for applications and automated processes:

Creating Service Accounts

# Create a new service account
authsec service-account create \
  --name my-service \
  --description "API service for order processing" \
  --permissions "read:orders,write:orders"

Managing Service Account Permissions

Service accounts support granular permission assignment:

• Read permissions: Access to view resources
• Write permissions: Ability to modify resources
• Admin permissions: Full control over specific domains
• Custom roles: Define organization-specific roles

API Authentication

Secure service-to-service communication using various methods:

OAuth 2.0 Client Credentials

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=service_123&client_secret=secret_key

API Keys

Generate and manage API keys for service authentication:

# Generate API key
authsec api-key generate \
  --service my-service \
  --expires 2025-12-31 \
  --scopes "api:read,api:write"

Certificate-Based Authentication

Use X.509 certificates for enhanced security:

Certificate Requirements

• RSA or ECDSA key pairs (2048-bit minimum)
• Valid certificate chain
• Certificate revocation checking enabled
• Regular certificate rotation (recommended: 90 days)

Certificate Enrollment

# Request certificate
authsec certificate request \
  --service my-service \
  --key-type RSA \
  --key-size 2048 \
  --validity 90

Token Management

Advanced token lifecycle management for enterprise deployments:

Token Types

• Access Tokens: Short-lived tokens for API access
• Refresh Tokens: Long-lived tokens for token renewal
• Service Tokens: Dedicated tokens for service authentication
• Custom Tokens: Organization-specific token formats

Token Rotation

Automated token rotation ensures continuous security:

{
  "rotationPolicy": {
    "accessTokenLifetime": "1h",
    "refreshTokenLifetime": "30d",
    "rotationInterval": "24h",
    "gracePeriod": "5m"
  }
}

Security Best Practices

1. Principle of Least Privilege: Grant minimal required permissions
2. Regular Key Rotation: Rotate credentials every 90 days
3. Monitor Usage: Track service account activity
4. Secure Storage: Use dedicated secret management systems
5. Audit Logging: Enable comprehensive audit trails

Integration Examples

Kubernetes Service Accounts

apiVersion: v1
kind: ServiceAccount
metadata:
  name: authsec-service
  namespace: production
automountServiceAccountToken: false
secrets:
- name: authsec-token

Docker Container Authentication

FROM node:18-alpine
COPY authsec-cert.pem /app/cert.pem
ENV AUTHSEC_CERT_PATH=/app/cert.pem
ENV AUTHSEC_SERVICE_NAME=my-container-service

Monitoring and Alerts

Configure monitoring for machine identity activities:

• Authentication failures
• Permission violations
• Certificate expiration warnings
• Unusual access patterns
• Token usage statistics

Troubleshooting

Common Issues

• Certificate validation errors: Check certificate chain and revocation status
• Token expiration: Implement automatic token refresh
• Permission denied: Verify service account roles and permissions
• Network connectivity: Ensure proper firewall and proxy configuration

Diagnostic Commands

# Check service account status
authsec service-account status --name my-service

# Validate certificate
authsec certificate validate --cert cert.pem

# Test API authentication
authsec api test --endpoint /api/v1/orders --method GET