All posts
June 22, 20263 min read

Computer Use and Secrets Management: What to Know

An offboarded contractor still has a private SSH key saved in the "Downloads" folder of a shared workstation. The key can be used by anyone who logs into that machine, and the same credential appears in multiple CI pipelines because the team copied it into a repository for convenience. When a new developer joins, the same repository is cloned, spreading the secret further. The organization believes it has "secrets management" because it stores keys in a vault, yet the vault is never consulted du

Free White Paper

K8s Secrets Management + Application-to-Application Password Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An offboarded contractor still has a private SSH key saved in the "Downloads" folder of a shared workstation. The key can be used by anyone who logs into that machine, and the same credential appears in multiple CI pipelines because the team copied it into a repository for convenience. When a new developer joins, the same repository is cloned, spreading the secret further. The organization believes it has "secrets management" because it stores keys in a vault, yet the vault is never consulted during day‑to‑day computer use. The result is a landscape where secrets roam freely on desktops, in CI logs, and in temporary files, all outside any control or audit.

Why the current approach falls short

In the real world, most engineers reach for a credential directly from their terminal or from a script. The setup, identity providers, OIDC tokens, service accounts, and role bindings, determines who can request a connection, but it does not inspect the traffic that carries the secret. Without a gate in the data path, the following gaps remain:

  • Plain‑text passwords or API keys can be echoed in command history.
  • Automated jobs can reuse the same secret across environments, creating a single point of failure.
  • There is no replay‑proof record of which user actually issued a command that accessed a database or server.
  • Sensitive fields returned by a service (for example, credit‑card numbers in a query result) are sent back to the client unchanged.

These gaps exist even when the organization has a vault, role‑based access control, and MFA. The enforcement mechanisms, masking, approval, session recording, must sit where the request and response travel, not merely at the authentication layer.

What a true secrets‑management gateway must provide

The missing piece is a layer‑7 proxy that sits between the identity system and the target infrastructure. This gateway becomes the sole point where every request is inspected, and where the following enforcement outcomes are applied:

  • Inline data masking, sensitive fields are redacted before they leave the target.
  • Just‑in‑time (JIT) access, the gateway grants a short‑lived credential only for the duration of the approved session.
  • Approval workflows, risky commands are routed to a human approver before execution.
  • Session recording and replay, each interaction is captured for later audit.

All of these outcomes rely on the gateway being the data path. If the gateway were removed, none of the above would happen, even though the identity setup remains unchanged.

Continue reading? Get the full guide.

K8s Secrets Management + Application-to-Application Password Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Introducing hoop.dev as the data‑path solution

hoop.dev implements exactly this architecture. It runs a network‑resident agent next to the resource (database, SSH host, Kubernetes cluster) and proxies every connection. The gateway validates the user’s OIDC token, extracts group membership, and then enforces the policies described above. Because hoop.dev sits in the data path, it can mask credit‑card numbers returned from a PostgreSQL query, block a destructive "DROP DATABASE" command until an approver signs off, and record the entire session for later review. The agent never sees the raw secret; hoop.dev presents a short‑lived credential to the target on behalf of the user.

How to get started

Begin with the getting‑started guide to deploy the gateway in your environment. The documentation walks through connecting a PostgreSQL instance, configuring OIDC authentication, and defining masking rules for columns that contain personal data. For a deeper dive into policy configuration, see the learn section, which covers approval workflows, JIT access lifetimes, and session replay tools.

FAQ

Does hoop.dev replace my existing vault?

No. The vault continues to store long‑term credentials. hoop.dev only requests short‑lived credentials from the vault when a user initiates a session, keeping the secret out of the user’s workstation.

Can I use hoop.dev with existing CI pipelines?

Yes. CI jobs can authenticate via OIDC and then route their database or SSH calls through the gateway. The same masking and audit rules apply, giving you visibility into automated access.

Is the solution open source?

Absolutely. The code is available on GitHub, and you can inspect or extend it to fit custom compliance needs.

Explore the open‑source repository on GitHub for installation instructions, contribution guidelines, and community support.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot