This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-short-lived-credentials.md

1.1 KiB

Pattern: Short-lived Credentials

Status: reviewed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform, flex-auth Genesis family: Secrets and cryptography

Problem

Static credentials remain useful after compromise and are difficult to inventory, rotate, and scope.

Context

Use this pattern for object storage, SSH, API tokens, database access, workload secrets, and operator elevation.

Forces

  • Consumers need stable integration contracts.
  • Backends differ in session or lease support.
  • Refresh and expiration behavior must be tested.
  • Audit must link issuance to actor, tenant, resource, and purpose.

Solution

Prefer credentials with explicit TTL, scope, lease metadata, and revocation path. Normalize issuance through identity, authorization, and brokered secret authority.

Verification

  • Credentials include scope, expiry, and owner metadata.
  • Consumers refresh before expiration.
  • Expired credentials are rejected by backends.
  • Issuance and revocation are auditable.
  • STS Credential Vending.
  • Dynamic Secrets.
  • Short-Lived SSH Certificates.
  • Time-boxed Privilege Elevation.