Vaulting a cloud provider root user account
In Centrify PAS, root accounts allow you to vault a password. Vaulting the cloud provider root account in Centrify PAS allows you to securely store the root account credentials and manage access. Additionally, you can configure Centrify as the MFA device for the AWS account.
To vault or edit a cloud provider root user account
- In the Admin Portal, navigate to Resources > Cloud Providers. Select an existing cloud provider.
Note: You can also vault a cloud provider root user account when you are adding a new cloud provider. For information on adding a new cloud provider, see Managing your cloud provider account
- Click Root Account and click Vault Root User Account. Enter Root User Email Address and Password.
- Under Interactive Password Rotation, choose Yes to Enable interactive password rotation on demand rotation of your root account password from Centrify PAS.
- For Prompt to change root password every login and password checkin, choose Yes. If this is enabled, you will be prompted to interactively rotate the password each time you login and checkin. When you click Yes to rotate password, you are taken back to the update password screen in the AWS console and the root account password is automatically rotated, concluding at the AWS account information page:
- Select Yes for Enable password rotation reminders to set a minimum number of days since last rotation to trigger a reminder. The reminder is a banner that displays in the cloud provider user interface.
- And finally, click the Root Account Virtual MFA Device button to configure Centrify as the MFA virtual device for the AWS root account.
Once you have vaulted a cloud provider root user account, you can right-click the account and perform the following actions:

If you have the Login permission set for the cloud provider, you can log into the cloud provider root account.

If you have the Checkout permission, you can check out the password for a stored account to use it for access to a system. When you check out a password, you choose whether to display or copy it to the clipboard for use.
Note: Show Password is only active for 15 seconds. PAS will hide the password after 15 seconds as a security measure.

This allows you to update the root user's password.

This allows you to rotate the root user password. Unlike account password rotations, the root user account rotation is done on the user interface. If you lose connection with your browser after you have clicked Rotate Password, the password is not lost. You can retrieve it by doing the following:
- Right-click and select Checkout, you will receive an error message, click Close on the error message. PAS is in an "uncertain password state."
- Go back, right-click and select Checkout again and click Show Password. You will then see a screen asking which password you want to checkout, the proposed or last known password:
- Copy the password. Go back to the account, right-click and choose Update Password.
- The account is no longer in an uncertain state. Go back, right-click the account and Checkin.

This allows you to add this root account to a set of accounts.

This enables Centrify as the MFA device. When you choose this option:
- The Centrify as AWS Root Account MFA Virtual Device wizard:
- Clicking Security Credentials takes you to the root cloud provider's account page. There, you Activate MFA,
choose MFA type and click Continue.
- Set up the virtual MFA device by entering two consecutive MFA codes that you get by copying the secret key from the cloud provider:
and pasting it into the Centrify wizard and click Next:
copy the code generated by Centrify:
and paste it back into the cloud provider set up page:
Once again, AWS requires two consecutive MFA codes be generated and pasted back into their set up page. As such, do this whole step once more to enter two codes and click Assign MFA when complete. You will see a success screen indicating it was a success and that Centrify is now the MFA virtual device for this account.
- Go back into Centrify and click Confirm.
Now, the PAS vault has the MFA secret and it can issue MFA codes. To do this, right-click on the account and click Get MFA Code :
and this account generates MFA codes to use to login manually:

Use to delete the root user account.
Once vaulted, you can drill deeper into a root account by clicking the account. Here, you can view or set the following for the root account:

Allows you to add permissions to your root user account. These permissions are specific to the AWS account. For more information on permissions, see Assigning permissions.

Use to view account settings for the root user account.

Use to view retired passwords for the root user account.

Allows you to add policy to the root user account. For more information on managing policy, see Creating authentication rules.

Use to enable workflow for the root user account. For more information on workflow, see Enabling request and approval workflow.

Use to view root user account activity. The following are activities updates specific to the root user accounts:
- Update.
- Permission granted.
- Viewing the password.
- Checking out the password.
- Login.
- Password rotation.

Use to view root user account policy summary.