Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Service Account Security (feature request)
I just started using service accounts, so forgive me if this has already been discussed. I did not find anything while searching the forum.
A few things that would greatly improve the security of service accounts from the top of my head:
- IP-limits for access
- Alerts (watchtower?) for unauthorized access attempts
I think there should be a way to limit service account access to only certain IP-addresses and environments. My proposal is a combination of pre-defined environments (maintained by 1Password) like
- AWS region XXX, AWS region YYY ...
- Lists publicly available here: https://ip-ranges.amazonaws.com/ip-ranges.json
- Lists publicly available here: https://ip-ranges.amazonaws.com/ip-ranges.json
- Github Actions, Github Copilot ...
- Lists publicly available here: https://api.github.com/meta
- Other relevant environments you can think of
And one should obviously also be able to create private lists of IP-addresses/prefixes (both IPv4 and IPv6) that can be allowed to use a certain service account.
This will seriously limit the amount of damage that can happen IF (when) a service account token is leaked somewhere.
When this is in place, watchtower (or similar functionality) should be able to alert you if someone tries to use a service account from outside the limited environments where it is allowed to be used.
That way, you will immediately be notified if a token might be compromised, and can rotate it.
Of course, if you have limited a service account to only be used from a github action, and the evil hacker also uses a github action to access your secrets, you will not know - but that is no worse than the current situation. In best case, the evil perpetrator will test the token from an invalid location first, so you will be notified and can hopefully act before any other secret data has been compromised.
