A Painful Day in the Life of a Developer - Static Secrets, Credential Sprawl

Read full article here: https://aembit.io/resources/a-day-in-the-life-of-a-developer/?utm_source=nhimg

This article presents a visual narrative of a developer (“Alex”) working in GitLab CI/CD pipelines, highlighting the identity and access security challenges faced daily. It illustrates how secrets (keys, tokens, credentials) sprawl across environments, and the risks that arise when these aren’t properly managed. The piece concludes with Aembit’s secretless, identity-driven approach as the solution.

 Key Challenges Developers Face

• Credential Sprawl
  • Secrets appear across multiple layers: CI/CD variables, YAML files, .env files, shell scripts, Slack shares, developer machines, and job logs.
• Operational Disruptions
  • Builds failing due to expired tokens.
  • Debugging plaintext secrets exposed in logs.
  • Investigating old, orphaned keys without ownership.

• Audit Gaps
  • Difficulty knowing if a secret was used by a human or an AI agent.
  • Lack of traceability around who/what accessed resources.

Industry Data Highlighted

• Private vs Public Repos
  • Private repositories leak secrets 8× more often due to overconfidence and lack of oversight.
  • 1 in 3 private repos contains a plaintext secret.

• Permissions
  • 99% of GitLab API keys are over-permissioned, with 58% having full access.

• Real-world breaches
  • Pearson and Internet Archive attacks both began with exposed GitLab tokens.

Risks of Current Practices

• Hardcoding secrets into pipelines.
• Rotation handled manually (often skipped).
• One token reused across multiple environments.
• No reliable way to trace usage back to a user or workload.
• Orphaned credentials persisting in systems.

What Developers Want

• Secrets injected only when needed, disappearing after use.
• Automatic rotation managed by the platform, not humans.
• Policy-driven access (this app can/can’t access resource X).
• Clear audit logs showing exactly which job accessed what, when.
• Invisible but reliable authentication that “just works”.

Takeaway

The narrative makes a strong case that developers shouldn’t be stuck plumbing credentials, and that secretless, ephemeral, identity-driven access is the only sustainable way forward for securing non-human identities in CI/CD pipelines.