P0 App Documentation
Sign up for FreeKnowledge Base
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
      • πŸ—’οΈSession Recording
        • πŸ“¦AWS
      • πŸ”ŒJust-in-time API
        • Command API
        • Access Requests API
        • Routing Rules API
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifiers
        • AWS Lambda Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Security Perimeter
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
        • Function Caller
      • πŸ“¦AWS
        • Requesting Access
        • AWS Integration API
        • Function Caller
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
        • Installing a Custom Resource Integration
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • ⚑SIEM Integrations
      • Splunk HEC Setup
  • πŸ“Tracker integrations
    • 🎟️Jira
  • P0 Management
    • 🎩Role-Based Access Control
    • πŸ”ŒManagement API
      • Role Management API
      • Just-in-time settings API
Powered by GitBook
On this page
  • How it works
  • Getting started with service-account key rotation
  1. What Is P0?

Service-Account Key Rotation

PreviousJust-In-Time AccessNextQuick Start

Last updated 1 month ago

For most production cases, P0 recommends configuring service-account authentication using . However, certain 3rd party systems (such as business intelligence tools) may require access to your production cloud, and only support access via static credentials. For these identities, P0 will manage rotation of these credentials, avoiding use of stale credentials.

How it works

  1. You set a credential rotation policy within P0. For example, you may require that credentials are rotated every 30 days, and no credentials are ever more than 40 days old.

  2. P0 uses your Access Inventory to automatically detect credentials that have upcoming rotation due dates.

  3. P0 determines account owners within your organization based on associated resources. For example, P0 might use the technical contact configured in the credential's managing cloud account.

  4. P0 stages updated credentials for each account that needs rotation within a vault you connect. For example, AWS KMS, GCP GSM, or Hashi vault.

  5. P0 assigns tickets in your tracking system for owners to update credentials in 3rd party systems.

  6. When each rotation ticket is closed, P0 revokes the previous credential.

Getting started with service-account key rotation

Key rotation requires an enterprise P0 license. Contact to get started.

♻️
P0 sales
workload identity federation