|
|
|
|
|
|
by feoren
1250 days ago
|
|
|
> In theory any time a system needs access to that database you could have a process that creates an entirely new user just for that session, with a random password But doesn't that process just become the new login method? Doesn't that process need its own secrets to have the (much greater) authority to make new users? Doesn't compromising this process give you much more power than compromising one system would have? |
|
|
Except it turns out not. Secret issuance schemes like this let you move trust boundaries around, they don’t absolutely require all powerful admin systems to exist, and they also let you layer secret schemes on top of more robust trust relationship systems like IAM.
One common pattern is that higher trust ‘control plane’ systems create ephemeral lower trust process instances (eg for autoscaling) - and so patterns like this allow those control planes to bootstrap the child systems with their own unique, cheap, minimally permissioned credentials.
Yes the control plane is a juicier higher priv target. But that’s already the case.