{"id":"104628e1-4e55-4373-aafe-60c048445097","task":"Replace static long-lived secrets with short-lived tokens using cloud OIDC and workload identity patterns","domain":"cloud.google.com","steps":["Audit your current secrets inventory to identify all static credentials (API keys, service account JSON keys, database passwords, access key pairs) and the services that use them","For cloud provider access, migrate to workload identity federation or instance metadata credentials (AWS instance profiles, GCP workload identity, Azure managed identities) so no credential is stored in the environment","For database access, replace static passwords with a secrets manager that issues short-lived credentials (e.g., HashiCorp Vault dynamic secrets, AWS Secrets Manager rotation, or Cloud SQL IAM authentication)","For service-to-service API calls, replace static API keys with OIDC tokens or mTLS client certificates issued by a PKI with short TTLs; implement automatic renewal in the client","Remove the old static credentials after confirming the new flow is working: revoke the key, delete it from secrets managers, and update audit log queries to alert on any use of the revoked credential","Implement a periodic automated scan (e.g., using secret scanning tools in CI, or cloud provider credential reports) to detect any newly introduced static secrets before they reach production"],"gotchas":["Migrating to short-lived tokens requires applications to handle token refresh; applications that do not renew credentials before expiry will fail — test credential expiry scenarios explicitly","Some legacy systems or third-party integrations do not support OIDC or dynamic credentials and require static secrets; document these as exceptions with compensating controls rather than blocking the migration","Instance metadata credentials are only secure if the instance metadata service is protected; on EC2, enforce IMDSv2 (require session-oriented requests) to prevent SSRF attacks from stealing instance credentials"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:15.651Z"},"url":"https://mcp.waymark.network/r/104628e1-4e55-4373-aafe-60c048445097"}