Dynamic Providers and Accounts Configuration

Dynamic providers are privileged identities that allow DevOps Secrets Safe to authenticate into cloud environments and create dynamic accounts.

There are no dynamic providers enabled by default. You can configure dynamic providers for Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure.

Once you configure a dynamic provider, you must create dynamic account definitions to define the privileges that are delegated to future dynamic accounts.

Once a dynamic provider and dynamic account definition have been created, you can generate new dynamic accounts, thereby creating new principals in the cloud environment. Deleting these dynamic accounts in DevOps Secrets Safe causes deletion of the associated principals from the cloud provider.

Important Notes

  • Because dynamic account functions interact with cloud environments, bulk operations' performance is often tied directly to the cloud environment's ability to complete operations.
  • Because dynamic accounts are backed by actual cloud principals, the objects DevOps Secrets Safe creates count toward quotas in the cloud environment.
  • Because dynamic providers and account definitions depend on cloud objects such as roles and access keys, do not modify these objects in the cloud environment without making corresponding updates to DevOps Secrets Safe entities.
  • The security boundary of a created dynamic account principal within the cloud provider is governed only by what is specified in the account definition and through any manual actions in the cloud provider. No additional security measures are imposed on the cloud principal by DevOps Secrets Safe to prevent privilege escalation.