Autonomous secrets management for a managed service identity
US-10819701-B2 · Oct 27, 2020 · US
Federated secret management for workload instances in cloud compute platforms
US12524518B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12524518-B2 |
| Application number | US-202318487784-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 16, 2023 |
| Priority date | Oct 16, 2023 |
| Publication date | Jan 13, 2026 |
| Grant date | Jan 13, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A secret management infrastructure federates with a cloud compute platform to store, issue, track and revoke secrets issued to workload instances. A workload instance can be provisioned with a token and can present that token to the secret management infrastructure (SMI) in exchange for a credential. In addition to validating the token itself, the SMI can verify whether the workload instance is entitled to receive the credential based on label match. The label is typically workload operator defined and corresponds to one or more attributes that the workload instance must possess, particularly physical, hardware, or software attributes. Preferably the secret management infrastructure verifies that the workload instance matches the label (that is, it has the necessary attributes) from the control plane of the cloud compute platform, or other source independent of the workload instance.
First claim
Opening claim text (preview).
The invention claimed is: 1 . A method performed by a secret management infrastructure that manages secrets for a compute platform, the method comprising: receiving, from an operator provisioning a workload instance in a cloud compute platform: a label corresponding to one or more attributes, the one or more attributes comprising any of physical, hardware or software attributes; an association between the label and a credential issued by the secret management infrastructure; receiving a request to distribute the credential to the workload instance in the compute platform; responsive to the request, identifying the label as required for access to the credential, and determining whether the workload instance matches the label by interrogating a source independent of the workload instance about at least one of: (i) the label applicable to the workload instance or (ii) the one or more attributes applicable to the workload instance; based on a determination that the workload instance matches the label, issuing the credential to the workload instance; and, based on a determination that the workload instance does not match the label, denying issuance of the credential to the workload instance. 2 . The method of claim 1 , wherein the request to distribute the credential is received from the workload instance. 3 . The method of claim 1 , wherein the request to distribute the credential includes a token previously issued by the compute platform to the workload instance during a provisioning process. 4 . The method of claim 1 , wherein the source independent of the workload instance comprises: a control plane of the compute platform. 5 . The method of claim 4 , the control plane being interrogated by the secret management infrastructure via an Applicant Programming Interface (API). 6 . The method of claim 1 , wherein the request to distribute the credential is received by an instance of a service provided by the secret management infrastructure which has been provisioned into a region in the computing platform. 7 . The method of claim 1 , wherein the workload instance comprises any of a virtual machine, container, node. 8 . The method of claim 1 , wherein the credential asserts an identity. 9 . The method of claim 1 , wherein the credential is issued to the workload instance, and further comprising: after receiving the credential, the workload instance sending the credential to a secret server in the secret management infrastructure to obtain a secret managed by the secret management infrastructure. 10 . A secret management infrastructure that manages secrets for a compute platform, comprising one or more computers each having circuitry forming one or more processors and memory storing computer program instructions that, when executed, cause the one or more processors to cause the secret management infrastructure to: receive, from an operator provisioning a workload instance in a cloud compute platform: a label corresponding to one or more attributes, the one or more attributes comprising any of physical, hardware or software attributes; an association between the label and a credential issued by the secret management infrastructure; receive a request to distribute the credential to the workload instance in the compute platform; responsive to the request, identify the label as required for access to the credential, and determine whether the workload instance matches the label by interrogating a source independent of the workload instance about at least one of: (i) the label applicable to the workload instance or (ii) the one or more attributes applicable to the workload instance; based on a determination that the workload instance matches the label, issue the credential to the workload instance; and, based on a determination that the workload instance does not match the label, deny issuance of the credential to the workload instance. 11 . The secret management infrastructure of claim 10 , wherein the workload instance sends the request to distribute the credential. 12 . The secret management infrastructure of claim 10 , wherein the request to distribute the credential includes a token previously issued by the compute platform to the workload instance during a provisioning process. 13 . The secret management infrastructure of claim 10 , wherein the source independent of the workload instance comprises: a control plane of the compute platform. 14 . The secret management infrastructure of claim 13 , further comprising an Applicant Programming Interface (API) for interrogating the control plane. 15 . The secret management infrastructure of claim 10 , further comprising an instance of a service provided by the secret management infrastructure which has been provisioned into a region in the computing platform, the instance operable to receive the request to distribute the credential. 16 . The secret management infrastructure of claim 10 , wherein the workload instance comprises any of a virtual machine, container, node. 17 . The secret management infrastructure of claim 10 , wherein the credential asserts an identity. 18 . The secret management infrastructure of claim 10 , wherein the credential is issued to the workload instance, which is operable to send the credential to a secret server in the secret management infrastructure to obtain a secret managed by the secret management infrastructure. 19 . A non-transitory computer readable medium holding computer program instructions for execution on one or more hardware processors in a secret management infrastructure, said instructions comprising instructions to: receive, from an operator provisioning a workload instance in a cloud compute platform: a label corresponding to one or more attributes, the one or more attributes comprising any of physical, hardware or software attributes; an association between the label and a credential issued by the secret management infrastructure; receive a request to distribute the credential to the workload instance in the compute platform; responsive to the request, identify the label as required for access to the credential, and determine whether the workload instance matches the label by interrogating a source independent of the workload instance about at least one of: (i) the label applicable to the workload instance or (ii) the one or more attributes applicable to the workload instance; based on a determination that the workload instance matches the label, issue the credential to the workload instance; and, based on a determination that the workload instance does not match the label, deny issuance of the credential to the workload instance.
Assignees
Inventors
Classifications
- G06F21/45Primary
Structures or tools for the administration of authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12524518B2 cover?
- A secret management infrastructure federates with a cloud compute platform to store, issue, track and revoke secrets issued to workload instances. A workload instance can be provisioned with a token and can present that token to the secret management infrastructure (SMI) in exchange for a credential. In addition to validating the token itself, the SMI can verify whether the workload instance is…
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/45. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jan 13 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).