Today, we’re excited to announce the initial public release of Keydra: a nifty tool that helps you securely manage your organisation’s service account passwords!


We all know it’s good practice to change our passwords regularly, and we’re used to doing it every month or two (or three!). But why is this important?

  1. Given enough time and processing power, an attacker could eventually guess/brute-force a password.
  2. If a password is stolen (phishing email maybe?), it is only usable for bad until the next change.

Thankfully, in 2021 multi factor authentication (MFA) is becoming more common, which helps reduce the risks of these problems. But what about those passwords that are not generally used by humans, and can’t use MFA?

I’m referring to things like database accounts, credentials used by batch jobs and API calls, even emergency accounts that are kept locked away in the event some sort of failure renders normal logins unavailable.

These need regular changing too.

In some cases it’s even more important — these accounts can sometimes have far greater permissions than your typical user, and are downright dangerous if they get into the wrong hands!

If you’ve worked in a role with access to these types of accounts, you’ll know they are not always well managed. As part of general development, maintenance and troubleshooting, IT staff tend to share them around, often using email, chat (or in some cases, post it notes!) — and when staff leave an organisation, they can leave with passwords in their heads that are perfectly valid until the next password change cycle.

Your security policies might state that these passwords be changed every X days, but does this actually happen?

Enter Keydra

There are commercial products that can help you with this problem, but not everyone has the money to spend on them, or the significant effort required to implement and maintain them.

Enter Keydra! We developed Keydra to help us solve the problem of machine account management, in a flexible, extensible and lightweight way that doesn’t cost a mint. Now that we’ve been using for a while and it’s feeling a little more polished, we’re open sourcing Keydra so you can use it too!

What does it do? In a nutshell, Keydra rotates (i.e. changes) passwords on a schedule, and distributes them to where they are used.

It supports a variety of secret types, and its modular architecture means adding new integrations is easy — more are being added all the time. And best of all, once Keydra is automatically changing your passwords, it’s trivial to change them WAY more often — like, every day! No more 90 day cycles: if a password is stolen, an attacker has less than 24hrs to use it for badness!

To get you thinking about ways you could use Keydra, here are some typical use cases:

  1. In AWS, rotate an IAM user’s credentials daily, and save the details to a Bitbucket/Github repository (as repo variables/secrets) for use in deployment pipelines.
  2. In Splunk (or Qualys, or Salesforce, or any of the support providers), change a user’s password, and save the details to AWS Secrets Manager. The password can be accessed in an emergency (i.e. Non-SSO break glass account).
  3. In AWS, rotate an IAM user’s credentials, and distribute to the Splunk Add-on for AWS as account configuration to pull AWS data into Splunk.

Check out Keydra, we have plenty of documentation to get to you started!


We hope you find it useful in levelling up your secrets management game!