Eliminate Long Lived Secrets
The goal shouldn’t be to secure secrets, it should be to not need them at all. If your application depends on long lived credentials you’ve already failed.
The most secure secret is the one you never have to manage.
- Long lived static credentials inevitably leak through repos, logs, CI/CD configs, and backups and become persistent risk.
- On AWS, assign IAM roles to compute identities so services call AWS APIs without ever storing access keys.
- On GCP, attach service accounts to resources so workloads access cloud APIs with short lived tokens instead of keys.
- In Kubernetes, leverage workload identity so pods authenticate to cloud or internal services without secrets.
- Strive to eliminate all long lived secrets from your application and infrastructure. While it may not be possible to remove every secret, this is your north star.
A compute workload is granted an identity by the platform and reads objects from a storage bucket using short lived credentials issued at runtime, with no API keys or secrets stored in code, config, or environment variables.