Ah, when I say “our service” I really mean “our software”, although this is in general would be an instance manged by the customer themselves. They will authenticate to their instance with some kind of service account, that has been synchronised via LDAP.
TBH, it’s not your issue, it was just a good discussion . And yes, this is very much about what is the least bad thing to do. We generally offer scripts to customers to interact with the APIs of their instances of the software. What I personally dislike is encouraging people to place any credentials that may be required by the script in plan text in a file, but if customer wants to do that, then that is their choice.
Of course, any credential used by any script to authenticate in this way eventually needs to be decrypted to be used. I just personalty would like to show something that could by a script with little setup that simply encourages people to think about this stuff.
We work a lot with Azure and this is certainly something we will use for some solutions. A local credential store would be a stop gap, but perhaps better than clear text in a file. Running Certify in a user space would be step forward, IMHO.