Field note · · 1 min
Temporary admin credentials are permanent
The access that was widened once for a deploy and never narrowed is the access an attacker eventually finds. Temporary is the most expensive word in an auth model.
There is a key in your system that was minted three years ago for a one-off script. It still has full access. Nobody remembers why. Nobody will be the one to revoke it, because revoking it might break something, and nothing is currently broken.
This is how identity grows in every system I open: not by design, by accident. A role widened once during an incident, at 2am, to get the deploy out. A shared credential pasted into a runbook so the on-call could use it. An admin scope granted “just for now.”
There is no “just for now” in an access model. There is only what an attacker finds when they get one foothold.
The danger is not the temporary grant itself. It is that temporary access has no expiry and no owner. It does not show up in a review, because reviews look at what is denied, not at what quietly accumulated. It sits there as standing permission until the day someone uses it, and on that day it looks exactly like legitimate traffic.
When I map who can do what in a system, the over-permissions are almost never malicious. They are sediment. Every one of them was reasonable in the moment it was granted.
The fix is not stricter rules. It is expiry. Access that was granted for a reason should die when the reason does. If a grant cannot name the thing that ends it, it is permanent, and you should treat it as permanent when you imagine how the system gets breached.