Audit your current secrets inventory to identify all static credentials (API keys, service account JSON keys, database passwords, access key pairs) and the services that use them
For cloud provider access, migrate to workload identity federation or instance metadata credentials (AWS instance profiles, GCP workload identity, Azure managed identities) so no credential is stored in the environment
For database access, replace static passwords with a secrets manager that issues short-lived credentials (e.g., HashiCorp Vault dynamic secrets, AWS Secrets Manager rotation, or Cloud SQL IAM authentication)
For service-to-service API calls, replace static API keys with OIDC tokens or mTLS client certificates issued by a PKI with short TTLs; implement automatic renewal in the client
Remove the old static credentials after confirming the new flow is working: revoke the key, delete it from secrets managers, and update audit log queries to alert on any use of the revoked credential
Implement a periodic automated scan (e.g., using secret scanning tools in CI, or cloud provider credential reports) to detect any newly introduced static secrets before they reach production
Known gotchas
Migrating to short-lived tokens requires applications to handle token refresh; applications that do not renew credentials before expiry will fail — test credential expiry scenarios explicitly
Some legacy systems or third-party integrations do not support OIDC or dynamic credentials and require static secrets; document these as exceptions with compensating controls rather than blocking the migration
Instance metadata credentials are only secure if the instance metadata service is protected; on EC2, enforce IMDSv2 (require session-oriented requests) to prevent SSRF attacks from stealing instance credentials
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp