[ameliaquining]

Re: root account password in a password manager vault. The problem with this from an enterprise-security perspective is that, once the password has been shared with somebody, it's difficult to prevent them from later using it in a way that's not authorized, or accidentally disclosing it to someone who shouldn't have it (e.g., by having their machine compromised). I suppose that a TOTP secret or FIDO/U2F dongle doesn't necessarily have this problem, though, so you could maybe rely on that rather than the password as the primary security factor.

[dljsjr]

If you're not using an MFA mechanism attached to your SSO (Google Authenticator or Okta or something) then that's a completely separate issue. There shouldn't be that much risk in letting all of your SRE's have access to the root credentials; you can lock down who can see what in your vault based on roles for any PW manager worth anything.

You could also rotate the root password every time there's a departure from the teams that have visiblity if it's that big of a deal.