Bastion is the credential broker for modern infrastructure. Instead of handing your services a static password that lives in a vault forever, it mints a unique, scoped, expiring credential the moment a workload asks — database logins, cloud keys, API tokens, signing certs — then revokes the whole chain the instant a workload dies. The secret your code holds is good for fifteen minutes and worthless to anyone else.
$ bastion lease db/payments-prod --ttl 15m
broker postgres/payments-prod policy: readwrite-orders
issued lease lse_9f2a07c41b ← unique to this workload
user v-svc-checkout-9f2a07-1718a4 (created just now)
pass ************************ (never reused, never stored)
ttl 15m0s renewable to a 4h hard cap
scope SELECT, INSERT, UPDATE on orders, line_items
rotation root credential rotated 3h ago, not by a human
audit lease bound to svc-checkout @ 10.4.2.18
$ bastion revoke --workload svc-checkout
revoked lse_9f2a07c41b + 2 child leases (cache, s3)
result 3 credentials dead in 240ms · 0 secrets left live
$ _The credential broker behind platform teams that refuse to ship a static password
A secrets manager hides a long-lived password behind a wall and hopes nothing ever reaches over it. Bastion takes the password off the board entirely — it generates a fresh credential per request, leases it for minutes, and revokes it the moment the workload that asked for it goes away. Nothing to leak twice, nothing to rotate by hand, nothing left valid when an attacker finally gets in.
Bastion brokers credentials it creates fresh for each request — a one-time Postgres role, a scoped AWS STS session, a short-lived RabbitMQ user, a per-pod Kubernetes token. The workload never holds a shared password because no shared password exists. When the lease ends, the underlying credential is destroyed at the source, not just forgotten by your app.
Every credential ships with a TTL and a hard cap. Services renew the lease while they're healthy; the moment one stops, the clock runs out and the credential dies on its own. A leaked secret is a secret that was already going to expire before the attacker finished reading it.
Revoke by lease, by workload, by policy, or by the breach you just discovered. Bastion walks the lease tree and kills every child credential it ever issued in one call — the database login, the cache token, the object-store key — so a compromised service is contained in seconds instead of a week of rotating everything by hand.
Bastion holds the root credentials your brokers need and rotates them on a schedule no human ever sees. The master database password changes itself every few hours; nobody copies it, nobody pastes it into Slack, and there is no shared admin login for an insider to walk out with.
Some secrets are static by nature — a third-party API key, a webhook signing secret, a license. Those live in an envelope-encrypted, namespaced store with versioning and per-path policy, sealed with keys you hold in your own KMS or HSM. Even Bastion can't read them without a quorum of your unseal keys.
What changes the week you stop storing secrets
The hardest problem in secrets isn't storage — it's the chicken-and-egg of the first secret a service needs to fetch the rest. Bastion solves it with identity: a workload proves what it is to your platform, and Bastion brokers the credentials from there. No bootstrap token to leak, no .env to commit.
Authenticate with the identity your platform already issues — a Kubernetes service account, an AWS IAM role, a GCP identity, a SPIFFE SVID, an OIDC token from your CI. The first credential is brokered from proof of identity, so there's no secret zero sitting in an environment variable.
First-class libraries for Go, TypeScript, Python, Rust, and Java fetch and auto-renew leases inline. Or run the Bastion agent as a sidecar that writes fresh credentials to a tmpfs file your app already reads — zero code change to go dynamic.
Credentials are plain database users, real STS sessions, and standard tokens — nothing proprietary your stack has to understand. Speak the HTTP API directly, export every policy as code, and migrate off the day you decide to. Your secrets are yours.
Broker deploy-time credentials in GitHub Actions, GitLab CI, Argo, and Terraform with a single step. Pull a scoped cloud key for an apply, run it, and let the lease expire before the job log finishes scrolling.
A broker sits in the path of every database call and deploy you make, so it has to be invisible when it works and obvious when it doesn't. Bastion is built for the second year, not the launch demo — when the credential graph is enormous, an auditor is asking questions, and you can't afford a maintenance window.
Run an active cluster with automatic leader failover and standbys across zones. Clients hold valid leases in memory, so a control-plane blip never stalls a request that already has its credential — the data plane keeps serving while Bastion heals.
SDKs and the sidecar pre-fetch and renew leases ahead of expiry, so the hot path reads a credential from local memory, not a network round trip. A broker outage degrades to 'use the lease you have' instead of taking the app down with it.
Every broker, path, and TTL is declared in version control and applied through your pipeline. Who can lease what is a pull request with an approver and a diff — not a console click nobody can explain six months later.
Suspect a compromise? Seal Bastion and it stops issuing instantly, freezing the blast radius while live leases age out on their own. Unsealing takes a quorum of your operators, so no single stolen laptop can turn the broker back on.
Export lease counts, renewal rates, revocation latency, and seal status to Prometheus and OpenTelemetry. Alert on a broker that's slow to issue or a workload renewing far more than it should — anomalies surface on your dashboard, not in a postmortem.
Snapshot and restore the whole credential graph, replicate to a warm secondary region, and fail over with a documented runbook. Practise the recovery on a Tuesday so the real one is muscle memory, not a first attempt under fire.
Almost every breach that starts with a credential ends the same way: the key was long-lived, over-scoped, shared across services, and nobody noticed it walk out the door. Bastion removes each of those properties on purpose, so the leak that used to be a company-ending incident becomes a fifteen-minute footnote in an audit log.
A credential pushed to a repo, pasted in a ticket, or printed to a log is dead within minutes of being issued — the attacker finds a string that already expired, not a key to production.
Every service gets its own generated credential, so a leak from one workload exposes exactly that one workload — there is no master login that unlocks the entire fleet.
Each credential is scoped to the precise tables, buckets, or actions the policy allows. A stolen checkout credential can read orders; it can't drop your users table or mint admins.
When you find the leak, you revoke the lease tree once and every credential it ever issued dies at the source — no spreadsheet of keys to rotate, no service you forgot about still trusting the old one.
Static secrets are envelope-encrypted and sealed with unseal keys split across people you choose. No single admin — and not Bastion — can read a secret alone, and every access is in a tamper-evident log.
Every lease, renewal, and revocation is bound to a workload identity, an IP, and a timestamp, so you can answer 'what did this credential touch, and when' to a forensics team instead of guessing.
“We deleted every static database password and switched to fifteen-minute leases in a quarter. When a contractor's laptop was stolen, the credentials on it had expired before security even got the call. The incident review was one paragraph.”
“A leaked CI token used to mean rotating forty secrets by hand and praying we got them all. Now I run one revoke command, the whole lease tree dies in under a second, and I'm back in bed. That kill switch alone justified the migration.”
“Our auditors asked who can access the production database and we showed them the answer is 'nobody — credentials are minted per request and expire in minutes.' Two enterprise security reviews that used to take weeks closed in days.”
Per-secret pricing punishes you for taking more secrets off static. Bastion bills for the workloads and people connecting to it — broker as many credentials, as often, with as short a TTL as you want.
For a single team taking its first secrets dynamic.
For platform teams brokering across every service in production.
For regulated, multi-region, high-blast-radius organizations.
A storage vault keeps a long-lived secret safe and hands you the same value every time you ask. Bastion's core is a broker: for supported systems it generates a brand-new, scoped credential per request, leases it for minutes, and destroys it at the source when the lease ends. There's still an encrypted store for the static secrets you can't broker, but the goal is to broker as much as possible so there's no permanent password to protect in the first place.
Secret zero is the bootstrap problem: a service needs one initial secret to authenticate before it can fetch the rest, and that first secret usually ends up hardcoded. Bastion replaces it with workload identity — a Kubernetes service account, an AWS IAM role, a GCP identity, a SPIFFE SVID, or a CI OIDC token. The workload proves what it is using identity your platform already issues, and Bastion brokers credentials from there. Nothing to commit, nothing to leak.
Out of the box: PostgreSQL, MySQL, MongoDB, Redis, and most SQL engines; AWS, GCP, and Azure cloud credentials via STS-style sessions; RabbitMQ and Kafka users; SSH certificates; and an internal PKI that issues short-lived TLS certs. Anything else lives in the envelope-encrypted static store with versioning and per-path policy, and you can write a custom broker plugin for systems we don't ship yet.
Leases are time-bound and renewable up to a hard cap. A healthy service renews; a service that crashes, scales down, or is killed stops renewing, the TTL elapses, and the underlying credential is revoked at the source automatically. You can also revoke explicitly by lease, workload, or policy, and Bastion cascades the revocation through every child credential it issued.
It would, if it sat in the hot path — so it doesn't. Clients fetch a lease once and cache it in memory, renewing ahead of expiry, so requests read their credential locally instead of calling Bastion each time. Bastion itself runs highly available with multi-region replication and automatic failover, and a brief control-plane outage degrades to 'keep using the lease you already hold' rather than taking production down.
The store is sealed at rest with unseal keys split across a quorum of people you choose and backed by your own KMS or HSM, so even a full host compromise yields envelope-encrypted blobs an attacker can't open. A sealed Bastion reveals nothing until your operators unseal it together, and the emergency seal command lets you freeze all issuance the instant you suspect something — live leases then age out on their own while you investigate.
Bastion is SOC 2 Type II and ISO 27001 certified, offers a FIPS 140-2 validated mode, supports HSM-backed sealing and bring-your-own-key, and writes a tamper-evident audit log of every lease, renewal, and revocation bound to a workload identity. Regulated teams can deploy fully self-hosted or air-gapped so no secret ever leaves their perimeter.
Connect a database, broker your first fifteen-minute lease, and revoke the whole tree in one call — before this tab goes stale. No static password to store, no secret zero to leak, no sales call to start.