This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-short-lived-credentials.md

44 lines
1.1 KiB
Markdown

# Pattern: Short-lived Credentials
Status: reviewed
Readiness target: RL3 production
Primary owners: NetKingdom, Railiance platform, flex-auth
Genesis family: Secrets and cryptography
## Problem
Static credentials remain useful after compromise and are difficult to
inventory, rotate, and scope.
## Context
Use this pattern for object storage, SSH, API tokens, database access,
workload secrets, and operator elevation.
## Forces
- Consumers need stable integration contracts.
- Backends differ in session or lease support.
- Refresh and expiration behavior must be tested.
- Audit must link issuance to actor, tenant, resource, and purpose.
## Solution
Prefer credentials with explicit TTL, scope, lease metadata, and
revocation path. Normalize issuance through identity, authorization,
and brokered secret authority.
## Verification
- Credentials include scope, expiry, and owner metadata.
- Consumers refresh before expiration.
- Expired credentials are rejected by backends.
- Issuance and revocation are auditable.
## Related Patterns
- STS Credential Vending.
- Dynamic Secrets.
- Short-Lived SSH Certificates.
- Time-boxed Privilege Elevation.