Machine Accounts

Machine accounts represent non-human machine users, like applications or deployment pipelines, that require programmatic access to a discrete set of secrets. Machine accounts are used to:

• Appropriately scope the selection of secrets a machine user has access to.

• Issue access tokens to facilitate programmatic access to, and the ability to decrypt, edit, and create secrets.

Machine accounts that your user account has access to can be viewed by selecting Machine accounts from the navigation:

Opening a machine account will list the Secrets and People the service account has access to, as well as any generated Access tokens and Event logs:

On the Admin Console Billing → Subscription page you are able to assign the number of machine accounts available for use in your organization. For additional information regarding your available machine accounts and machine account scaling, see here.

To create a new machine account:

1. Use the New dropdown to select Machine account:

   

2. Enter a Machine account name and select Save.

3. Open the machine account and, in the Projects tab, type or select the name of the project(s) that this machine account should be able to access. For each added project, select a level of Permissions:

   • Can read: Machine account can retrieve secrets from assigned projects.

   • Can read, write: Machine account can retrieve and edit secrets from assigned projects, create new secrets in assigned projects, or create new projects altogether.

Adding organization members to a machine account will allow those people to generate access tokens for the machine account and interact with all secrets the machine account has access to. To add people to your machine account:

1. In the machine account, select the People tab.

2. From the people dropdown, type or select the members or groups to add to the machine account. Once you've selected the right people, select the Add button:

   

Adding projects to a machine account will allow programmatic access to included secrets using access tokens. To add projects to a machine account:

1. Open the machine account and select the Projects tab.

2. From the Projects dropdown, type or select the project(s) to add to the machine account. Once you've chosen the right projects, select the Add button:

   

3. For each added project, select a level of Permissions:

   • Can read: Machine account can retrieve secrets from assigned projects.

   • Can read, write: Machine account can retrieve and edit secrets from assigned projects, as well as create new secrets in assigned projects or create new projects.

To delete a machine account, use the () options menu for the machine account to delete to select Delete machine account. Deleting a machine account will not delete the secrets associated with it. Machine accounts are fully removed once deleted and do not get sent to the trash like secrets do.

Timestamped records of actions taken with each service account are available from the machine account's Event logs tab:

Any user that has access to a given machine account will be able to view events for that machine account. Events that are captured include:

• Accessed secret secret-identifier. (2100)

Event logs are exportable and are retained indefinitely. Exporting events will create a .csv of all events within the specified date range, which should not exceed 367 days.

The Config tab provides a quick view of information that might be required when configuring an application to use a machine account. Identity server URL, API server URL, Organization ID, and Project IDs are displayed and can be copied by selecting each field's respective  icon. For more information on Secrets Manager environments, see the Secrets Manager SDK documentation and CLI documentation.