Service Account Best Practices¶
Security and operational guidelines for service accounts.
Security¶
Principle of Least Privilege¶
Only grant minimum required scopes:
Store Secrets Securely¶
# ✅ Good: Environment variable
export API_KEY="usso_sk_..."
# ❌ Bad: Hardcoded
api_key = "usso_sk_..." # Don't do this!
Rotate Keys Regularly¶
Set up automatic rotation:
import schedule
def rotate_api_key():
new_key = create_api_key()
update_services(new_key)
time.sleep(300) # Wait 5 minutes
revoke_old_key()
schedule.every(90).days.do(rotate_api_key)
Monitoring¶
Log Usage¶
logger.info(
"Service account request",
agent_id=agent.sub,
endpoint=request.url.path,
method=request.method
)
Alert on Anomalies¶
- Sudden spike in requests
- Requests from unexpected IPs
- Failed authentication attempts
Operations¶
Naming Convention¶
# Use descriptive names
"Data Sync Service"
"Email Worker"
"Analytics Pipeline"
# Not generic names
"Service 1"
"API Key"
Document Purpose¶
{
"name": "Data Sync Service",
"description": "Syncs user data with CRM every hour",
"owner": "[email protected]",
"repository": "https://github.com/company/data-sync"
}