Non-human identity: what it means for your blast radius (on Azure)

Every extra service principal that can reach a database, storage account, or Kubernetes cluster multiplies the potential fallout of a breach, and the cost of a larger blast radius can quickly eclipse any short‑term convenience.

Teams that rely on non‑human identities often start by creating Azure AD applications with broad permissions, storing client secrets in plain text, and reusing the same credential across many pipelines. The result is a sprawling attack surface where a single compromised secret gives an attacker unfettered access to every downstream system the identity touches.

In practice, engineers grant these service accounts admin‑level roles on resource groups, enable them to run arbitrary CLI commands, and never enforce per‑request approvals. The connections go straight from the automation job to the target service. No central point watches the traffic, no inline data masking protects sensitive fields, and no audit log captures the exact commands that were executed. The organization therefore lacks visibility into who did what and cannot limit the blast radius when something goes wrong.

Why a dedicated non‑human identity model is not enough

Moving from shared passwords to Azure‑managed service principals is a necessary step. It gives a clear identity to every automation job, makes revocation easier, and enables role‑based access control. However, the identity alone does not solve the core problem. The request still travels directly to the target resource, bypassing any enforcement layer that could:

Require just‑in‑time approval for high‑risk operations.
Mask credit‑card numbers, personal identifiers, or API keys that appear in responses.
Record each command and response for forensic replay.
Block dangerous commands before they reach the backend.

Without a data‑path gate, the blast radius remains as wide as the permissions granted to the service principal.

hoop.dev as the data‑path enforcement point

hoop.dev is an open‑source Layer 7 gateway that sits between non‑human identities and Azure resources. It acts as an identity‑aware proxy, inspecting traffic at the protocol level and applying policy before the request reaches the target.

When a service principal authenticates via OIDC, hoop.dev verifies the token, extracts group membership, and then decides whether the request may proceed. The gateway enforces the following outcomes:

Session recording: hoop.dev records each interaction, creating a replayable audit trail that shows exactly what was queried or which command was run.
Inline masking: hoop.dev masks sensitive fields in responses, ensuring that downstream logs or downstream consumers never see raw secrets such as passwords or access keys.
Just‑in‑time approval: for operations that exceed a defined risk threshold, hoop.dev pauses the request and routes it to an authorized approver.
Command blocking: hoop.dev can reject destructive commands such as dropping a database before they are executed.

All of these controls happen inside the data path, meaning they cannot be bypassed by reconfiguring the service principal or by altering the automation code. The enforcement outcomes exist only because hoop.dev sits in the gateway.

Continue reading? Get the full guide.

Non-Human Identity Management + Blast Radius Reduction: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How the three layers work together

Setup. You define a non‑human identity in Azure AD, assign it the minimum roles required for the job, and configure OIDC trust with hoop.dev. This step decides who the request is and whether it may start, but it does not enforce any runtime guardrails.

The data path. The request is routed through hoop.dev. The gateway is the sole place where policy can be applied, because the service principal never contacts the target directly.

Enforcement outcomes. While the request passes through hoop.dev, the gateway records the session, masks sensitive data, asks for approval when needed, and blocks disallowed commands. These outcomes are the concrete mechanisms that shrink the blast radius.

Practical considerations

Implementing this model requires a few operational choices:

Deploy the hoop.dev gateway close to the resources it protects, typically as a Docker Compose stack for development or as a Kubernetes deployment for production.
Use the getting started guide to register Azure resources such as Azure SQL, Azure Kubernetes Service, or Azure Storage as connections.
Define masking policies in the learn section to hide fields like passwords or access keys from downstream logs.

Because hoop.dev holds the credentials for the target service, engineers never see them, reducing the chance of accidental leakage.

FAQ

Does hoop.dev replace Azure RBAC?

No. Azure RBAC still decides which identities exist and what base permissions they have. hoop.dev adds runtime enforcement on top of those permissions.

Can I use hoop.dev with existing CI/CD pipelines?

Yes. Pipelines simply point their database or kubectl clients at the hoop.dev endpoint. The gateway handles authentication, policy, and logging without requiring code changes.

What happens if a service principal is compromised?

Even if the token is stolen, hoop.dev will still enforce approval workflows and command blocking, limiting the attacker’s ability to execute high‑impact actions and therefore containing the blast radius.

By placing a Layer 7 gateway between non‑human identities and Azure resources, you gain the visibility and control needed to keep your blast radius small and your compliance posture strong.

Explore the open‑source repository on GitHub to get started and contribute.