Granting a VM scoped storage access without static keys
WHAT IT TESTS: workload identity over static secrets. OUTLINE: attach a least-privilege role or managed identity to the VM so it gets auto-rotating temporary credentials scoped to the bucket. RED FLAG: storing access keys in config or environment variables.
WHAT IT TESTS: applying least privilege and temporary credentials to a workload. ANSWER OUTLINE: attach an IAM role via an instance profile, or a managed identity in Azure, to the VM; the policy grants only the specific actions on the specific bucket. The instance retrieves short-lived, auto-rotating credentials from the metadata service, so no secret is stored. Scope the policy tightly and rely on STS expiry. RED FLAG: placing long-lived access keys in files, env vars, or code.
Read the original → interview
- #iam
- #security
- #storage
- #least-privilege
- #cloud
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.