Source Summary: Zero Credentials on Disk

Source Identity

• title: Zero Credentials on Disk: Rewriting TazPod with AWS IAM Identity Center
• type: blog post
• path: blog-src/content/posts/tazpod-zero-credentials-aws-sso/index.md
• date published: 2026-03-22

Scope

Implementation chronicle of the TazPod migration away from Infisical toward AWS IAM Identity Center and S3-backed vault recovery.

Key Points

• TazPod removed the old Infisical integration rather than keeping compatibility leftovers.
• the operator secret model moved toward AWS SSO plus S3-backed encrypted vault recovery
• ~/.aws handling required careful separation between workspace symlink behavior and vault bind-mount behavior
• the resulting model is explicitly built around zero long-lived credentials on disk in the runtime image

Notable Claims

• design integrity required total removal of superseded secret-management code instead of partial deprecation
• the durable bootstrap anchor is the encrypted vault object in S3 rather than static credentials in the image or repository

Affected Wiki Pages

• ../entities/tazpod
• ../topics/tazlab-secret-and-identity-flow
• ../topics/tazlab-system-map

Open Questions

• Which additional TazPod milestone posts should be summarized next to complete the operator-environment narrative?