In a zero-trust environment, how do you establish trusted identity for service-to-service calls without sharing long-lived secrets between services?

technical-conceptual · Mid level · cloud-devops-security

What the interviewer is really asking

Tests whether the candidate can extend zero trust to workload (machine) identity using cryptographic, short-lived, attested identities and mTLS, rather than passing API keys around.

What to say

What to avoid

Example answers

Strong: Each workload gets its own cryptographic identity instead of a shared key. With SPIFFE/SPIRE the agent attests the workload and issues a short-lived SVID, and services talk over mTLS where both ends validate the peer's identity against the trust bundle. Because the certs are short-lived and rotated there's no durable secret to steal, and I still enforce which identity may call which service through authorization policy, not just a valid cert.

Weak: Each service gets an API key stored in the secrets manager and passes it in a header, and we rotate the keys periodically. They're all inside the VPC so traffic between them is trusted anyway.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.