Just-in-Time Access in Non-Human Identities, Explained

Common misconception: service accounts and automated bots can be treated like human users, so giving them long‑lived credentials is safe. In reality, just-in-time access is the only safe way to grant permissions to non‑human identities. The correction is that static secrets amplify the risk and make lateral movement trivial.

Why static credentials are dangerous for machines

Most teams create a service account, embed its API key or password in a CI pipeline, and grant it broad read‑write permissions across several environments. The credential rarely rotates, and the same secret is reused by dozens of jobs. When a breach occurs, the attacker inherits that secret and can walk unchecked through every system that the account touches. There is often no audit trail of which job issued which command, no way to mask sensitive fields in logs, and no real approval step before a destructive operation runs.

The missing piece: just-in-time access for non-human identities

What organizations really need is a mechanism that issues short‑lived, context‑bound tokens to bots and service accounts at the moment they need to act. The token should carry the minimal set of permissions required for that single request. This approach limits blast radius, forces a fresh identity check for every operation, and makes revocation trivial. However, even with a just‑in‑time token, the request still travels directly to the target system. The gateway that could enforce policy, such as masking data, requiring an approval, or recording the session, remains absent.

Key design considerations for non‑human just‑in‑time access

When you adopt a just‑in‑time model for service accounts, keep these points in mind. First, define a clear token‑lifetime policy; tokens should expire as soon as the operation completes. Second, scope the token to the exact resource and operation needed, avoid broad role assignments that defeat the purpose of short‑lived credentials. Third, integrate the token‑issuance step into your CI/CD pipeline so that the request for a token is auditable and can be gated by policy. Fourth, pair the token with an approval workflow for high‑risk actions; this adds a human decision point without slowing down routine automation. Finally, ensure that any failure to obtain a token results in an immediate denial, rather than falling back to a stored static secret.

How hoop.dev provides the enforcement layer

hoop.dev sits in the data path between the identity provider and the infrastructure resource. It verifies the just‑in‑time token, then proxies the connection to the target database, Kubernetes cluster, SSH host, or HTTP service. Because the gateway is the only point where traffic passes, hoop.dev can enforce every control required for non‑human identities:

• Just‑in‑time approval: before a privileged command reaches the backend, hoop.dev can route the request to a human approver and block execution until consent is recorded.
• Inline data masking: responses that contain secrets or PII are stripped or redacted in real time, preventing accidental leakage into logs.
• Session recording and replay: every interaction is captured, providing a complete audit trail that can be reviewed during incident response.
• Command‑level blocking: dangerous statements such as DROP DATABASE or sudo rm -rf are identified and prevented before they execute.

All of these outcomes exist only because hoop.dev occupies the gateway position. The setup, OIDC or SAML authentication, role‑based group membership, and service‑account provisioning, decides who may request access, but it does not enforce the policy. The enforcement happens exclusively in the data path, and hoop.dev is the active component that makes it happen.

Getting started with hoop.dev

Because hoop.dev is open source and MIT licensed, teams can self‑host the gateway in their own network. The quick‑start guide walks you through deploying the Docker Compose stack, registering a service account as a connection, and enabling just‑in‑time approvals. Detailed documentation for each connector, PostgreSQL, Kubernetes, SSH, and more, is available in the learning center. For a hands‑on walkthrough, see the getting‑started page.

FAQ

Do I need to modify my existing CI pipelines?

No. Once hoop.dev is in place, pipelines simply point their client (psql, kubectl, ssh) at the gateway address. The gateway handles credential injection and policy enforcement without code changes.

Can I still use existing service‑account keys?

Yes, but hoop.dev recommends converting them to short‑lived tokens that are minted on demand. The gateway will reject any request that presents an expired or over‑privileged token.

Is the audit data stored securely?

hoop.dev records each session for later review and audit, capturing the request, any approval decision, and any masking that was applied. This creates a verifiable evidence trail without exposing raw credentials.

Explore the source code and contribute on GitHub.