What is an Account?
An Account is the identity VaultPAM uses on the target system. The Account is not the same thing as the credential that unlocks it. VaultPAM keeps that distinction explicit so you can rotate credentials, apply policy, and audit use without rebuilding the entire access model.
Account versus credential
- Account: the login identity on the target, such as
root,Administrator, or a named service account. - Credential: the password or key that proves ownership of that account.
That separation lets you keep the Account stable while changing the secret underneath it.
Static and just-in-time credentials
Some Safes use a static password that exists for a longer period. Others use just-in-time credentials backed by OpenBao. In the JIT model, VaultPAM requests the secret when the session starts and injects it at the proxy. The secret never needs to be copied into a user-managed clipboard.
How VaultPAM delivers the credential
VaultPAM binds the Account to a Safe. When a member launches a session, the connector and proxy handle the credential handoff. The user sees the session, not the password. If the Safe policy blocks clipboard access, the credential remains invisible to the user entirely.
That model reduces the risk of leaked secrets and makes offboarding simpler. You remove access by updating the Safe membership or replacing the Account binding, not by chasing the same password across a dozen systems.