Least Privilege and Key Rotation
Credential scope should match backup intent, not full cloud account administration.
Permission Scope Design
| Dataset role | Required rights |
|---|---|
| Append-only archive | List + write |
| Mirror sync path | List + write + delete |
| Verification-only account | Read/list only |
Rotation Policy Template
- Create new key with same scoped policy.
- Update remote config in staging.
- Run smoke tests (
lsd, small copy). - Deploy to production jobs.
- Revoke old key.
Mapping
post-rotation-smoke-test.sh
rclone lsd remote-prod:
rclone copy /tmp/health.txt remote-prod:healthcheck/
rclone delete remote-prod:healthcheck/health.txt
info
Key rotation is not just security hygiene. It validates whether your runbooks actually work.
Audit Signals
| Signal | What to watch |
|---|---|
| Unexpected delete API calls | Potential privilege creep |
| Failed auth after rotation | Incomplete rollout |
| Jobs still using old key | Automation drift |
Common Pitfalls
| Pitfall | Consequence | Prevention |
|---|---|---|
| Rotating without staged validation | Production outage | Stage then promote |
| One key shared across all jobs | High blast radius | Split keys by domain |
| No revocation step | Dormant active credentials | Finalize with explicit revoke checklist |