Non-human identity: what it means for your audit trail (on Azure)

How do you prove what an automated job or service account actually did when it talks to your Azure resources?

Non‑human identities, service principals, managed identities, CI/CD agents, and other programmatic actors, are the backbone of modern cloud workloads. They let pipelines spin up databases, push containers, and run health checks without a human at the keyboard. Because they are created and rotated by scripts, they often outlive the code that launched them, and their credentials are stored in vaults or configuration files that multiple teams can read.

An audit trail that records every request, every query, and every response is essential for compliance, incident response, and cost control. Regulators and auditors ask for immutable evidence that shows who accessed what, when, and why. When a human logs in, you can usually tie the session to a user name and a MFA event. When a service principal runs, that link is blurred unless you capture the request at the point where the identity is exercised.

Why audit trail matters for non‑human identity

Without a reliable audit trail, a rogue script can exfiltrate data, delete tables, or spin up expensive resources while the organization remains blind. The problem is amplified on Azure because many services support managed identity, a token that the platform hands to the workload automatically. The token is valid for the lifetime of the VM or container, and any code running inside can use it to call other services. If the token is compromised, every downstream call appears to come from a trusted Azure resource, making forensic analysis difficult.

Most teams rely on Azure Activity Log or resource‑specific logs, but those logs often miss the fine‑grained commands that a database or Kubernetes API receives. A SQL query that filters customer records, a kubectl exec that reads a secret file, or an SSH command that modifies a configuration file may never surface in the platform audit. The result is a gap between what the cloud reports and what actually happened inside the service.

Current state: direct connections without central visibility

In many organizations, a service principal is granted a role that spans multiple subscriptions or resource groups. The principal’s credentials are stored in a secret store, and developers embed the secret in CI pipelines. When the pipeline runs, the job connects straight to the target, PostgreSQL, Kubernetes, or an SSH host, using the credential. The connection bypasses any intermediary that could inspect or record the traffic. The setup provides the needed access, but it leaves three critical gaps:

• There is no single point where you can enforce masking or block dangerous commands.
• The request reaches the target directly, so the platform cannot attach its own audit events.
• Even if the target logs the request, the log does not include the originating identity in a way that ties back to the service principal.

These gaps mean the audit trail is incomplete, and you cannot prove that a particular automated job performed a specific action.

Where enforcement must happen: the data path

The only reliable way to capture a complete audit trail is to place a guard at the protocol layer, between the identity and the resource. That guard must inspect every packet, record the request and response, and optionally mask sensitive fields before they reach the client. It also needs to enforce just‑in‑time approvals for risky operations. Because the guard sits in the data path, it can guarantee that no request bypasses logging or policy checks.

This is exactly what hoop.dev provides. hoop.dev is a Layer 7 gateway that proxies connections to databases, Kubernetes clusters, SSH hosts, and HTTP services. It authenticates users and non‑human identities via Azure‑issued OIDC tokens, reads the token’s group claims, and then decides whether to allow the request. Once the request is authorized, hoop.dev forwards it to the target while simultaneously recording the full session, applying inline data masking, and optionally routing the command to a human approver.

How hoop.dev creates a trustworthy audit trail for service principals

When a CI job presents its Azure service principal token to hoop.dev, the gateway validates the token, extracts the principal’s identity, and checks the policy attached to that identity. If the policy permits the operation, hoop.dev opens a session, forwards the traffic, and records the session details, capturing:

• The exact timestamp of the request.
• The service principal’s client ID and any group membership.
• The full command or query that was sent.
• The response, with any configured masking applied.

Because hoop.dev is the only component that sees the raw traffic, the audit trail it generates is complete and cannot be altered by the target service or by the calling job. The recorded session can be replayed for forensic analysis, and the logs can be exported to SIEMs or compliance tools.

Benefits beyond logging

While the primary goal is a reliable audit trail, hoop.dev also adds other safeguards that are especially valuable for non‑human identities:

• Just‑in‑time access: A pipeline can request elevated privileges for a single command, and hoop.dev can require a human approver before forwarding the request.
• Inline masking: Sensitive fields such as credit‑card numbers or personal identifiers can be redacted from the response before they reach logs or downstream systems.
• Command blocking: Dangerous statements such as DROP DATABASE can be rejected automatically.

All of these controls are enforced at the data path, meaning the target service never sees the unapproved command or the unmasked data.

Getting started

To protect your Azure service principals with hoop.dev, start with the getting‑started guide. It walks you through deploying the gateway, configuring OIDC with Azure AD, and registering a resource such as PostgreSQL or a Kubernetes cluster. The learn section provides deeper coverage of policy authoring, session replay, and data masking.

FAQ

Q: Does hoop.dev replace Azure Activity Log?
A: No. hoop.dev complements Azure logs by capturing the exact request payloads and responses that Azure’s platform‑level logs may omit.

Q: Can I use hoop.dev with Azure Managed Identities?
A: Yes. hoop.dev validates the OIDC token issued to the managed identity and applies the same session‑recording and masking logic.

Q: Is the audit data stored securely?
A: hoop.dev writes session records to a storage backend you configure. The gateway never exposes raw credentials to the client, and the logs can be sent to tamper‑evident storage of your choice.

By placing a Layer 7 gateway between your service principals and Azure resources, you gain a verifiable audit trail that ties every automated action to a specific identity and policy decision.

Ready to see the full implementation? Visit the hoop.dev GitHub repository and start protecting your non‑human identities today.