Automatic rotation and storage of security credentials

What is claimed is: 1 . A computer-implemented method, comprising: under the control of one or more computer systems that execute instructions, determining, based at least in part on a credential rotation policy, to rotate a first set of credentials to be used at least in part by a computing resource service provider to authenticate calls received from a set of calling applications, wherein access to a resource of the computing resource service provider by the set of calling applications involves authenticating the calls received from the set of calling applications; and rotating the first set of credentials by: obtaining a second set of credentials to be used at least in part to authenticate the calls received from the set of calling applications; providing information sufficient to prove access to the second set of credentials to a service of the computing resource service provider; storing the second set of credentials in a credential store hosted by the one or more computer systems; notifying the set of calling applications of the second set of credentials; determining, based at least in part on a usage level of the first set of credentials, to deactivate the first set of credentials; and causing the first set of credentials to be deactivated. 2 . The computer-implemented method of claim 1 , wherein the set of calling applications is a set of instances of an application, and wherein the set of instances are executing on one or more host computer systems of a distributed computing system. 3 . The computer-implemented method of claim 1 , wherein the method further comprises: receiving, from a calling application of the set of calling applications, a request for data, wherein the request includes, at least in part, proof of possession of the first set of credentials as authentication for the request; and receiving a response from the service of the computing resource service provider that includes the data requested together with information, based at least in part on the credential rotation policy, that indicates that the first set of credentials are due to be rotated. 4 . The computer-implemented method of claim 1 , wherein the credential rotation policy is a first credential rotation policy, the set of calling applications is a first set of calling applications, the resource of the computing resource service provider is a first resource of the computing resource service provider, and the method further comprises: determining, based at least in part on a second credential rotation policy, to rotate a third set of credentials for a second set of calling applications, different than the first set of calling applications; rotating the third set of credentials by: obtaining a fourth set of credentials to be used at least in part to authenticate calls received from the second set of calling applications; providing information sufficient to prove access to the fourth set of credentials to the service of the computing resource service provider; storing the fourth set of credentials in the credential store; and notifying the second set of calling applications of the fourth set of credentials; and determining, based at least in part on a usage level of the third set of credentials, to deactivate the third set of credentials. 5 . The computer-implemented method of claim 1 , wherein determining to deactivate the first set of credentials further comprises: monitoring the usage level of the first set of credentials for a determined time period before deactivating the first set of credentials; and notifying designated security personnel that the usage level of the first set of credentials is in an unexpected state after the time period. 6 . The computer-implemented method of claim 5 , wherein the unexpected state indicates one of a misconfigured application or an unauthorized entity using the first set of credentials. 7 . A system, comprising: one or more processors; and memory including instructions that, as a result of execution by the one or more processors, cause the system to: track a first usage level of a first set of credentials; determine, based at least in part on a credential rotation policy, to rotate the first set of credentials; generate a second set of credentials to be used at least in part to authenticate a request received from a calling application; notify the calling application of the second set of credentials; store the second set of credentials in a data store; track a second usage level of the second set of credentials; and generate a visualization of the first usage level and the second usage level over time. 8 . The system of claim 7 , wherein the memory further includes instructions that cause the system to: determine, based at least in part on a usage level of the first set of credentials, to deactivate the first set of credentials; and cause the first set of credentials to be deactivated by denying authentication of requests that are accompanied by proof of possession of the first set of credentials. 9 . The system of claim 7 , wherein the instructions that generate the visualization further include instructions that cause the system to generate the visualization to graphically display an unexpected state if the first usage level does remains above a preconfigured threshold for a certain amount of time. 10 . The system of claim 7 , wherein the memory further includes instructions that cause the system to: track information that identifies: one or more services being called by one or more applications making application programming interface calls providing proof of possession of the first set of credentials or proof of possession of the second set of credentials for authentication; and descriptive information for identifying origins of the application programming interface calls providing the proof of possession of the first set of credentials or providing the proof of possession of the second set of credentials for authentication; and generate a visualization that maps the first set of credentials and the second set of credentials to the one or more services identified and the descriptive identifying information. 11 . The system of claim 7 , wherein the memory further includes instructions that cause the system to: determine that the first usage level is in an unexpected state; and send an alert to network security personnel about the unexpected state of the first usage level. 12 . The system of claim 7 , wherein: the credential rotation policy specifies conditions that cause credential rotation to trigger; and the credential rotation can be triggered: according to a timer, as a result of the credentials being used for a certain number of authentication calls, according to a stochastic randomization scheme, as a result of a rate of authentication calls dropping below a threshold, or on demand by an authentication system of a computing resource service provider. 13 . The system of claim 7 , wherein the instructions that generate the second set of credentials are performed by a credentials agent executing in association with the calling application and the second set of credentials are transmitted to a service of a computing resource service provider by the credentials agent. 14 . The system of claim 7 , wherein the calling application is one of a plurality of calling applications and the second set of credentials is usable at least in part to authenticate a request received from any of the plurality of calling applications. 15 . The system of claim 14 , wherein: the plurality of calling application