Posted Monday at 04:00 PM5 days Many teams begin with static, hardcoded credentials for databases — often buried in config files or environment variables. Getting your secret rotation automated on a fixed schedule (daily, weekly, monthly) is a good first step, but to truly minimize the risks of credential theft as much as possible requires adoption of “dynamic” secrets (sometimes called “ephemeral secrets” or “just-in-time secrets”). By issuing short-lived credentials that expire automatically — often within minutes or hours — organizations can drastically minimize the attack window if a secret becomes compromised.In this follow-up to Why we need short-lived credentials and how to adopt them — a manager and architect-oriented post on this topic, I’ll walk through two practical scenarios: Issuing short-lived credentials for a PostgreSQL database and retrieving static vs. dynamic secrets in GitLab CI. Both examples use HashiCorp Vault to create ephemeral database users with a limited lifespan using dynamic secrets...View the full article
.png.6dd3056f38e93712a18d153891e8e0fc.png.1dbd1e5f05de09e66333e631e3342b83.png.933f4dc78ef5a5d2971934bd41ead8a1.png)
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.