We’ve all been there: juggling AWS access keys, rotating credentials quarterly (or let’s be honest, yearly), and praying that developer laptop that went missing last month didn’t have plaintext keys in a .env file somewhere. The conventional wisdom says “use long, complex passwords” and “rotate regularly.” But what if the real solution is to eliminate passwords entirely—and make credentials so short-lived that stealing them becomes pointless?
A fascinating proof-of-concept project demonstrates an approach that flips traditional cloud security on its head. Instead of managing credentials, it makes them disposable. Instead of complex password policies, it uses hardware you can touch. Here are the most surprising and counter-intuitive takeaways that challenge how we think about cloud authentication.
1. The Best Credential is One That Expires in 15 Minutes
Most organizations think they’re doing well when they rotate AWS keys every 90 days. This project takes a radically different approach: credentials that expire in 15 minutes.
Think about that for a moment. Even if an attacker somehow intercepts your AWS access key, they have a 15-minute window before it becomes useless. No emergency rotation procedures. No “let’s hope they didn’t pivot to other systems” anxiety. Just automatic, built-in expiration.
“Vault-issued 15-minute creds, authenticated via YubiKey client cert. No passwords. No static AWS keys.”
This isn’t just incrementally better—it’s a fundamental shift in the threat model. Instead of asking “how do we protect long-lived credentials?”, it asks “what if credentials were so short-lived that protecting them becomes less critical?” The psychological and operational relief this brings cannot be overstated.
2. Your USB Key is More Secure Than Your Password Manager
We’ve been trained to think software solutions are inherently superior to hardware. Password managers with 256-bit encryption, multi-factor authentication apps, hardware security modules in data centers—all software-mediated.
But this approach trusts something you can physically hold: a YubiKey. The private key never leaves the hardware device. It can’t be phished. It can’t be screen-captured. It can’t be exfiltrated by malware that dumps process memory.
The YubiKey PIV (Personal Identity Verification) functionality generates an RSA key pair directly on the device’s secure element. When you authenticate to Vault, the signing operation happens inside the YubiKey. The private key material is literally impossible to extract or copy without physically disassembling the chip—and even then, the chips are designed to be tamper-resistant.
This seems old-fashioned in our cloud-native era, but it’s actually revolutionary: physical security as a primitive, not an afterthought.
3. Zero Trust Starts with Not Trusting Your Own Infrastructure
Most “zero trust” initiatives focus on not trusting the network perimeter. This project goes further: it doesn’t trust your infrastructure to safely store credentials at all.
Look at the architecture: Terraform provisions AWS resources, but the Terraform configuration file (terraform.tfvars) contains zero static credentials. Instead, it pulls temporary credentials from Vault at runtime:
data "vault_aws_access_credentials" "temp" {
backend = "aws"
role = "terraform-role"
}
This is profound because infrastructure-as-code has a dirty secret: version control is full of accidentally-committed credentials. GitHub’s secret scanning finds millions of exposed credentials annually. But you can’t accidentally commit what you never possess.
The Terraform state doesn’t contain permanent credentials. The configuration files don’t contain permanent credentials. There’s simply nothing permanent to leak.
4. Certificate-Based Authentication Solves the Bootstrap Problem
Here’s a chicken-and-egg problem that’s plagued security engineers: how do you securely authenticate to the system that issues your credentials, without already having credentials?
Traditional solutions involve some kind of secret: an initial password, a pre-shared key, a bootstrap token. But those secrets have to be transmitted and stored somehow, creating a vulnerability.
This approach uses certificate-based authentication where the certificate is signed by Vault’s own PKI, but the private key lives on the YubiKey. The trust chain is:
- Vault’s root CA signs a certificate for your YubiKey’s public key
- Your YubiKey’s private key (which never leaves the hardware) signs authentication challenges
- Vault’s cert-auth recognizes your certificate and grants access
The beautiful part? The YubiKey generates its own key pair. Vault never sees your private key. You never type a password. The initial signing creates a cryptographic binding between hardware you control and policies Vault enforces.
This elegantly solves the bootstrap problem: the secret is the physical possession of the YubiKey, combined with the one-time certificate issuance.
5. “Hardware-Rooted” Means More Than “Uses Hardware”
Many systems “use” hardware tokens—a YubiKey as a second factor, a smart card for VPN access. But this project demonstrates something deeper: hardware as the root of trust for the entire authentication chain.
Every AWS action taken by Terraform traces back through:
- AWS credentials (15-minute TTL) issued by Vault
- Vault authentication using TLS client certificates
- Client certificate signed by Vault PKI
- Private key stored in YubiKey PIV slot 9c
- Physical possession of the YubiKey
There’s no “something you know” (password) involved. It’s purely “something you have” (the YubiKey) cryptographically bound to “something you are authorized for” (Vault policies).
This creates an audit trail with physical accountability. You can’t share a YubiKey as easily as you can share a password. You can’t accidentally paste it into Slack. You know immediately if it’s missing.
The security property here is non-repudiation: if an action happens with your YubiKey, either you did it, or someone physically stole your hardware.
Final Thoughts: When Security Feels Like Magic
The most striking aspect of this approach is that once it’s set up, it just works—and it works invisibly. No password prompts. No rotating keys in a spreadsheet. No emergency conference calls because someone found credentials in a public GitHub repo.
You run terraform apply, your YubiKey blinks (asking for a touch to authorize), and infrastructure gets provisioned using credentials that didn’t exist 30 seconds ago and won’t exist 15 minutes from now.
This represents a broader trend in security: moving from “make the user do the right thing” to “make the wrong thing impossible.” Not longer passwords, but no passwords. Not better credential rotation policies, but credentials too short-lived to be worth rotating. Not carefully guarding secrets, but not having persistent secrets to guard.
Here’s the question to ponder: If we can eliminate passwords and static credentials for cloud infrastructure, what else in our security model exists only because we haven’t imagined a better alternative?
Explore the full implementation at w8mej/short-term-memory
https://github.com/w8mej/short-term-memory