Comment 7 for bug 1396594

So, 1st, at the deployment stage, we should create a user in service tenant with the only permission to get a tokens. Next, at the deployment stage, we delegate a permissions we want to get for service scripts in a trust creation request for that user. Once done, we could safely use a credentials of that user in the service scripts to get the token with a special permissions granted and use it to perform a required tasks with a delegated rights. The main points:
1) Credentials we use in script will allow nothing more than get a token
2) If credentials got compromised, cloud admin could just remove the trust. That would stop service scripts from operating, of cause. So, cloud admin should then as well change the password, recreate the trust and update the password in a service scripts (should be a documented flow for this)

Please correct me, if I understand the trusts and delegations wrong :-)