Secret management infrastructure with audits and credential upgrades

The invention claimed is: 1 . A method performed by a secret management infrastructure that manages secrets for a cloud compute platform, the method comprising: at least one software component providing an application programming interface (API) to a workload instance in a cloud compute platform, the at least one software component: (i) receiving an authentication request from the workload instance via the API, (ii) responsive to the authentication request, authenticating the workload instance, (iii) upon successful authentication of the workload instance, providing the workload instance with an initial credential; subsequent to providing the workload instance with the initial credential, the at least one software component authorizing the workload instance for an elevated credential, at least by: (iv) receiving from the workload instance a request for the elevated credential, the request including the initial credential, (v) based on a determination that the workload instance has successfully passed an audit, providing the elevated credential to the workload instance, the audit being performed by audit software communicating with the workload instance over a network; wherein the elevated credential enables the workload instance to have additional access within the cloud compute platform as compared to the initial credential. 2 . The method of claim 1 , further comprising: receiving the initial credential from the workload instance in a request for a secret; and, providing the secret to the workload instance. 3 . The method of claim 2 , wherein the secret comprises a cryptographic key used by the workload instance to complete the audit. 4 . The method of claim 2 , wherein the secret comprises a cryptographic key used by the workload instance to create or read an encrypted file system. 5 . The method of claim 1 , wherein the authorization process further comprises: authenticating the request from the workload instance for the elevated credential, based on the initial credential. 6 . The method of claim 1 , wherein determining whether a workload instance has successfully passed the audit comprises: the audit software performing the audit at least by: examining a file system associated with the workload instance to detect at least one of: (a) unexpected changes to system binaries and (b) unexpected modules loaded in an operating system associated with the workload instance. 7 . The method of claim 1 , where the elevated credential comprises the initial credential with an additional claim. 8 . The method of claim 1 , wherein the initial credential enables the workload instance to access secrets from the secret management infrastructure, and the elevated credential enables the workload instance to access at least one additional secret in addition to the secrets from the secret management infrastructure. 9 . The method of claim 1 , further comprising: registering the workload instance for the audit; auditing the workload instance, the audit comprising: communicating with the workload instance; and, wherein those communications received from the workload instance are authenticated by a presence of the initial credential. 10 . The method of claim 1 , wherein the additional access comprises any of: access to an additional secret, and access to an additional service. 11 . A secret management infrastructure that manages secrets for a cloud compute platform, comprising one or more computers each having circuitry forming one or more processors and memory storing computer program instructions for execution on the one or more processors to cause the secret management infrastructure to: execute at least one software component providing an application programming interface (API) to a workload instance in a cloud compute platform. the at least one software component: (i) receiving an authentication request from the workload instance via the API. (ii) responsive to the authentication request, authenticate the workload instance, (iii) upon successful authentication of the workload instance, provide the workload instance with an initial credential; subsequent to providing the workload instance with the initial credential, execute the at least one software component to authorize the workload instance for an elevated credential, the authorization comprising: (iv) receive from the workload instance a request for the elevated credential, the request including the initial credential, (v) based on a determination that the workload instance has successfully passed an audit, provide the elevated credential to the workload instance, the audit being performed by audit software communicating with the workload instance over a network; wherein the elevated credential enables the workload instance to have additional access within the cloud compute platform as compared to the initial credential. 12 . The secret management infrastructure of claim 11 , wherein the additional access comprises any of: access to an additional secret, and access to an additional service. 13 . A non-transitory computer readable medium holding computer program instructions for execution on one or more hardware processors, said instructions comprising instructions to: execute at least one software component providing an application programming interface (API) to a workload instance in a cloud compute platform. the at least one software component: (i) receiving an authentication request from the workload instance via the API, (ii) responsive to the authentication request, authenticate the workload instance; (iii) upon successful authentication of the workload instance, provide the workload instance with an initial credential, subsequent to providing the workload instance with the initial credential, execute the at least one software component to authorize the workload instance for an elevated credential, the authorization comprising: (iv) receive from the workload instance a request for the elevated credential, the request including the initial credential, (v) based on a determination that the workload instance has successfully passed an audit, provide the elevated credential to the workload instance, the audit being performed by audit software communicating with the workload instance over a network; wherein the elevated credential enables the workload instance to have additional access within the cloud compute platform as compared to the initial credential. 14 . The non-transitory computer readable medium of claim 13 , wherein the additional access comprises any of: access to an additional secret, and access to an additional service.