For all long living credentials within our company, we force rotation. There are existing processes for this. As of today, meshStack API Keys are long lived and there is no programatic way to rotate credentials. This prohibits us from enabling API Keys for our meshStack.

The easiest way for meshStack to satisfy our existing governance requirements is hooking into our existing processes. That means, for identities (either from workload identity pools or humans using their AAD/GCD identities) we would need a way to authenticate as those identities and assign them short-lived access tokens for meshStack API.

One way of doing it would be token exchange as defined in RFC 8693 (https://www.rfc-editor.org/rfc/rfc8693).

For terraform users, the terraform provider could do the token exchange, get a short-lived API token and then use it with the API.