A leaked credential is only dangerous for as long as it stays valid. By making every secret expire in minutes instead of months, a leak becomes a non-event rather than an incident.
Short-lived by default
Each workload requests a freshly minted, scoped token at startup and refreshes it well before expiry. Nothing is baked into an image or checked into a repo.
- Per-service identities, never shared
- Tokens scoped to the exact resources a service needs
- Automatic rotation with overlapping validity windows so refreshes never race
Rolling it out safely
We dual-published old and new secrets during the migration, watched the metrics for any service still reading the legacy path, and only revoked the old credentials once usage hit zero.