Short-lived, workload-bound credentials
Definition
Short-lived, workload-bound credentials are temporary access tokens or keys that are specifically tied to a particular workload or application instance. These credentials are designed to expire after a brief period, reducing the risk of misuse if compromised. They are commonly used in cloud environments to enhance security by ensuring that credentials are not long-lived and are only valid for the duration of a specific task or session.
Secure Settings Example
# Example of a Kubernetes ServiceAccount with short-lived tokens
apiVersion: v1
kind: ServiceAccount
metadata:
name: example-service-account
annotations:
# Use an annotation to specify short-lived tokens
"kubernetes.io/service-account.token-expiration-seconds": "3600" # 1 hour
Insecure Settings Example
# Example of a Kubernetes ServiceAccount with long-lived tokens
apiVersion: v1
kind: ServiceAccount
metadata:
name: example-service-account
annotations:
# No expiration set, leading to long-lived tokens
"kubernetes.io/service-account.token-expiration-seconds": "0" # Tokens do not expire