In a previous position infrastructure was spun up in the cloud with a guid password generated at the time of creation. Once the configuration of the hardware was finished the account was disabled. The process of spinning up hardware was entirely automated so at no time was the password known to any individual.
For any piece of hardware we had to define what that hardware configuration should be using templates and Puppet scripts. If you got the scripts wrong then you weren't allowed to stumble around on the box until you got it right, you had to correct your scripts so the action was entirely repeatable. This approach made for an extremely robust and secure system.
I like that. In quite a few companies we've set long, random passwords for service accounts, without saving them beyond needing to configure a service. With group managed accounts now, I'd think we'd not bother, but I like the idea of forcing all systems through scripting, cloud or not.