Non-Human Identities: A Practical Guide

When dealing with non-human identity, an offboarded contractor’s CI job kept querying a production database with a service‑account token that never expired. The token had broad read‑write rights, and no one noticed the job running after the contractor left. The same pattern repeats when a nightly batch process uses a hard‑coded API key that can access dozens of internal services. Those are classic examples of how non‑human identities are often managed today: static credentials stored in code repositories, over‑scoped tokens granted to automation, and no visibility into what the automated actors actually do.

Teams recognize the need for tighter control. They start by issuing short‑lived tokens, moving secrets to vaults, and defining role‑based permissions for each service account. Those steps constitute the setup, the identity layer that decides who the request is and whether it may start. However, the setup alone does not stop a compromised token from issuing a destructive command, nor does it provide a record of every query the automation performed.

Why the data path matters for non‑human identity security

The real enforcement point must sit on the network path between the automated client and the target resource. Only a gateway that inspects traffic can apply real‑time decisions such as:

Blocking commands that match a deny list before they reach the database.
Routing risky queries to a human approver for explicit consent.
Masking sensitive fields in responses so that logs never contain raw credit‑card numbers or personal identifiers.
Recording the full session for replay and audit, ensuring that every SELECT, UPDATE, or SSH command is traceable to a specific service account and token.

These outcomes exist only because the gateway sits in the data path. Without that interception point, the request would travel directly from the automation runner to the target, bypassing any guardrails.

Introducing hoop.dev as the enforcement gateway

hoop.dev fulfills the architectural requirement of a Layer 7 gateway that proxies connections for databases, Kubernetes, SSH, RDP, and internal HTTP services. By placing hoop.dev between the non‑human identity and the infrastructure, it becomes the active enforcer of policy.

When a CI pipeline authenticates via OIDC, hoop.dev validates the token, extracts the service‑account identity, and then applies the configured policies. For each request it:

Records each session so auditors can replay exactly what the automation did.
Applies inline masking to hide sensitive columns before they are written to logs.
Enforces just‑in‑time approval for operations that exceed the baseline privilege set.
Blocks disallowed commands in real time, preventing accidental data loss.

Because hoop.dev is the only component that sees the clear‑text traffic, the enforcement outcomes are guaranteed to happen regardless of how the service account was provisioned. If the token were stolen, hoop.dev would still block prohibited actions and record the attempt.

Continue reading? Get the full guide.

Non-Human Identity Management + Managed Identities: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How to adopt hoop.dev for non‑human identities

Start with the standard deployment model: run the gateway and its agent close to the target resource, using Docker Compose for a quick test or Kubernetes for production. Register each automated workload as a connection, attaching the appropriate short‑lived credential or IAM role. Configure OIDC providers such as Okta or Azure AD so that hoop.dev can verify the service‑account token.

Next, define policies that reflect the principle of least privilege. For a database, allow only SELECT on specific schemas and deny any DDL statements. For a Kubernetes exec session, restrict the command set to read‑only kubectl verbs. Enable masking for columns that contain PII, and turn on session recording for every connection.

All of these steps are described in the getting‑started guide and the broader learn section. The repository contains the full source code and example configurations.

FAQ

Do I need to change my existing CI pipelines?

No. hoop.dev works with standard clients such as psql, kubectl, or ssh. The pipeline simply points to the gateway endpoint instead of the raw target address.

What happens if a service account is compromised?

hoop.dev will still enforce the defined policies. The compromised token can be used to authenticate, but any disallowed command will be blocked and the attempt will be logged.

Is session data stored securely?

Session recordings are written to a storage backend chosen by the operator. hoop.dev ensures that only authorized personnel can retrieve the recordings, and the recordings include the identity that initiated the session.

By treating non‑human identities as first‑class citizens in the access control model and inserting hoop.dev as the enforcement point, teams can achieve true least‑privilege automation without sacrificing visibility or control.

Explore the open‑source repository on GitHub to get started.