Dynamic Secret

Expanded Definition

Dynamic secrets are short-lived credentials generated just in time for a specific workload, session, or task, then revoked automatically when the task ends or the lease expires. In NHI operations, they reduce standing exposure by replacing reusable credentials with ephemeral access tied to policy, identity, and context.

Definitions vary across vendors on whether a dynamic secret must be minted by a central secrets manager, a cloud identity broker, or a workload identity system, but the operational idea is consistent: access should be temporary, scoped, and auditable. That places dynamic secrets alongside Zero Standing Privilege and OWASP Non-Human Identity Top 10 guidance for reducing credential persistence. They also fit naturally with Ultimate Guide to NHIs — Static vs Dynamic Secrets, which distinguishes durable secrets from ephemeral issuance models.

The most common misapplication is treating a rotated static credential as dynamic, which occurs when the secret is still reusable, broadly shared, and not automatically revoked after the task completes.

Examples and Use Cases

Implementing dynamic secrets rigorously often introduces orchestration overhead, requiring organisations to weigh reduced credential lifetime against added policy, logging, and lease-management complexity.

• Database access for a CI job can be issued as a one-time credential that expires after the pipeline run, limiting the blast radius if the job logs are exposed. That pattern is especially relevant in the CI/CD pipeline exploitation case study.
• Cloud workloads can request short-lived tokens to reach storage or API endpoints without embedding long-term keys in code, aligning with workload identity design. For implementation context, Ultimate Guide to NHIs — Static vs Dynamic Secrets is the best reference point.
• Temporary access for an incident responder can be time-boxed and revoked automatically when the case closes, reducing lingering emergency permissions.
• Service-to-service communication in a microservices environment can use ephemeral certificates or tokens rather than shared API keys, which supports stronger workload isolation and simpler offboarding.

In practice, these patterns are often evaluated alongside OWASP Non-Human Identity Top 10 recommendations and incident lessons from the Shai Hulud npm malware campaign, where exposed credentials amplified downstream impact.

Why It Matters in NHI Security

Dynamic secrets matter because long-lived credentials remain one of the most common failure points in NHI security. NHI Mgmt Group research shows that 91.6% of secrets remain valid five days after the targeted organisation is notified, which means revocation is often too slow to prevent follow-on abuse. Dynamic issuance reduces that window by making access expire by design, not by cleanup effort.

This approach also supports broader governance goals: least privilege, better offboarding, and more reliable audit trails. It is especially important where secrets are copied into CI/CD systems, third-party integrations, or application configs, because those environments tend to magnify secret sprawl. The Guide to the Secret Sprawl Challenge and the Reviewdog GitHub Action supply chain attack show how quickly exposed credentials can turn into enterprise-wide compromise.

Organisations typically encounter the real cost only after a leak, pipeline compromise, or third-party breach exposes a credential set, at which point dynamic secrets become operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What is the difference between an identity, a credential, and a secret?
• What is the difference between static and dynamic credentials?
• How do I migrate from static credentials to dynamic credentials?