Skip to content

v0.61.0

Choose a tag to compare

@dcadolph dcadolph released this 10 Jul 23:46
055f098

Secrets that clean up after themselves. A credential can now mint a fresh, short-lived value for each run and revoke it the moment the run ends, so a leaked value is useless minutes later. This is a control-plane capability neither AWX nor Semaphore offers.

  • A new credential source, Vault dynamic, reads a Vault dynamic secrets path such as database/creds/app or aws/creds/deploy. Vault mints a new credential on each read, Yardmaster injects the chosen field into the run, and the Vault lease is revoked when the run reaches a terminal state.
  • If the process dies before it can revoke, the credential still expires on the lease's own TTL, so nothing is left behind for long.
  • The minted value is masked in the run's log, live stream, and events like any other secret.
  • The credential dialog gets the new source, and the set-a-secret guide shows how to use it.

The engine seam is pluggable, so cloud STS and other short-lived credential sources can follow the same path.