# Credentials discovery
With BalkanID, organizations can discover, inventory, and govern credentials across all connected applications as part of **IGA for Non-Human Identities (NHI)**. Credentials include access keys, API keys, service account keys, SSH keys, and other non-human access mechanisms.
Credentials Discovery is the first step in governance. It enables teams to identify where credentials exist, who or what they are associated with, and what level of access they provide.
All discovered credentials are consolidated into a centralized **Credentials tab**, providing visibility into credential usage, ownership, and risk posture.
### **Viewing Credentials**
Users, Risk Managers, and IT Administrators can navigate to the **Credentials tab** from the navigation bar to view all credentials extracted across applications.
Each credential record represents a unique credential and includes metadata, associated identity, usage details, and risk insights.
### **Credential Fields**
The Credentials tab displays the following fields for each credential:
| **Field** | **Description** |
| ------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| **Credential** | Name of the credential along with its source identifier (e.g., access key ID, API key ID) |
| **Type** | Type of credential (e.g., access key, API key, service account key, SSH key, OAuth credential) |
| **Associated Identity** | The identity that the credential is linked to |
| **Application** | The integrated application or cloud provider where the credential exists |
| **Status** | Current state of the credential (e.g., active, inactive) |
| [**Insights**](#credential-insights-risk-signals) | Risk signals and security findings associated with the credential |
| **Created / Last Rotated** | Timestamp indicating when the credential was created or last rotated |
| **Last Used** | Timestamp indicating when the credential was last used (if available) |
#### **Credential Insights (Risk Signals)**
BalkanID automatically evaluates credentials and generates insights to highlight potential security risks.
These insights help identify misconfigurations, stale credentials, and excessive access.
Common insights include:
* **Active credential for inactive identity**\
Indicates that the parent identity is inactive, but the credential is still active. This presents a critical security risk.
* **Credential extremely old (>180 days)**\
Credentials that have not been rotated for extended periods are more likely to be compromised.
* **Credential not rotated (>90 days)**\
Indicates that the credential does not meet recommended rotation policies.
* **Credential unused (>90 days)**\
Credentials that have not been used recently may be unnecessary and should be reviewed or deactivated.
* **Multiple active credentials**\
Indicates that an identity has multiple active credentials, increasing the attack surface.
Each insight is accompanied by recommended remediation actions.
### **Filtering and Investigation**
Users can filter credentials based on multiple parameters such as:
* Last used date
* Creation or rotation timelines
* Insight type (risk category)
* Application or identity
This allows teams to quickly identify and prioritize high-risk credentials for remediation.
### **Credential Access and Blast Radius**
Each credential has a detailed view that shows the **resources and connections it has access to**.
This includes:
* Roles and permissions granted
* Resources accessible via the credential
* The full chain of access from credential to resource
This helps teams understand the **blast radius** of a credential in case of compromise.
Identities can be remapped if incorrectly classified to ensure accurate governance.
### **Identity vs Non-Identity Credentials - Planes of Access**
Credentials operate across different access planes:
* **Identity Credentials**
* Example: Service account keys, HMAC keys
* Inherit IAM permissions from the associated identity
* **Non-Identity Credentials**
* Example: API keys, SSH keys
* Provide direct or scoped access to services or resources
For example:
* A **service account key** can modify infrastructure (via IAM roles)
* A **SSH key** can directly log into a VM (system-level access)
Understanding this distinction is critical for accurate risk assessment.
Credentials Discovery enables organizations to:
* Gain visibility into all credentials
* Identify and remediate risks
* Understand access and blast radius
* Extend governance to non-human identities
This forms the foundation for NHI Identity Governance.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.balkan.id/getting-started/entitlement-data-discovery/credentials-discovery.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.