In a DevOps world, workloads (applications and services) running on a virtual machine or VM require a service account to authenticate to the vault and check out passwords in an Application-to-Application Password Management (AAPM) context.
With the potential for many hundreds or thousands of applications and services, this increase in service accounts carries significant risk by increasing the attack surface for privilege abuse. To combat this, Delinea can grant a machine its own identity, which can then be delegated to trusted local workloads.
When you first enroll the machine using the Cloud Suite client installed on the machine, this establishes mutual trust. Cloud Suite creates a unique Delegated Machine Credential, machine identity, and service account for that machine. A local workload can then ask the Cloud Suite client to authenticate to the vault on its behalf using the machine credential. The Cloud Suite client obtains an OAuth2 bearer token that the workload can use subsequently to call vault APIs.
Thus, the only service account required is that of the machine itself versus the hundreds or thousands if each workload were to require its own.
More Resources:
Blogs
Service Account Management 101
Service Accounts vs User Accounts
Application and Service Accounts: Half Protected is Half Not