I use both and am very satisfied, especially by Hetzner.
Only complaint with Hetzner is they don't have some kind of OAuth setup for machines or scoped API tokens, just read/write. I'd like to use the former for doing Vault authentication from instances, and the latter for writing a dynamic Vault secret provider.
Can’t you use a third party IAM solution for this? Like Okta or keycloak?
zitadel supports service users with rbac. maybe give it a look/try: https://github.com/zitadel/zitadel