Authentication is not only for human administrators to interactively log in to computers, network equipment, applications, and IaaS management consoles. Software-based applications and services similarly need to assert their identity to other workloads before being granted access.
Storing IDs and passwords in plain text within code carries significant risk. Any bad actor on the box can quickly discover these credentials, increasing the possibility of privilege abuse and lateral movement.
Application-to-Application Password Management (AAPM) eliminates the need to store credentials in clear text in the application. Instead, developers introduce API calls in their code, to access the vault programmatically and to check out the password. The password can be stored in application memory and not written to disk. Once the application terminates, the memory is deallocated, and the password is gone leaving nothing for a bad actor to find. Using this approach, the vault secures the credentials and controls access to them. The vault can also automatically rotate passwords as a best practice. Since dependent applications now make API calls to fetch them, DevOps is no longer concerned with updating their code when the passwords change.
Note that this is a fundamental approach to AAPM. Other options exist that can further improve security and operational efficiency while reducing risk even more:
Standard approach: AAPM to retrieve a vaulted ID and password;
Better approach: AAPM to retrieve a vaulted ID and SSH key;
Even better approach: AAPM to retrieve ephemeral tokens (e.g., OAuth2); or
Best approach: AAPM using Centrify Delegated Machine Credentials (see definition on this page) and an ephemeral token (e.g., OAuth2).