[_mme]

I have to be annoying, but - if you have a token that is only valid for X seconds - you still need a token to renew the expiring token.

I have the feeling that damage control is the only option:

1) Secrets store is on different credentials

2) Decryption key is only known outside of secrets storage

3) There is a maximum number of different credentials that can be queried per day (adjustable over time)

[n42]

Yeah you do, but you compartmentalize that with your orchestration (hence strong ops). With HashiCorp Nomad for example you might setup a parameterized job. When Nomad receives a job to do X for customer Y, it allocates a container with a short lived token. Nomad is the system with the longer living token that lets it generate short lived tokens for short lived workloads, that are themselves containerized to add a layer of security for a compromise. And so on.

Abstract that a little bit; the system that generates the short lived token ideally would not be the same as the system that is using it

Turtles all the way down