That works on a single persistent box, but unfortunately, that means giving up on autoscaling, which is not so nice for cloud applications.

You can proxy the UNIX socket to a network server if you want to. You can even use SSL encryption at all times too.

lmz 2 days ago | parent [-]

Once it's networked you lose the "whitelist of systemd services" and it's then no different from any networked secret store.

	▲	otabdeveloper4 a day ago \| parent [-]
		No, this is a solved problem: https://spiffe.io/ You can do service attestation securely, even for networked services.