SYSTEM Cited by 1 source

Confidant

Confidant is Lyft's open-source secret management solution, originally released in 2015. In Lyft's engineering stack it is the canonical store of credentials used by services at runtime, backed by AWS KMS for encryption.

In LyftLearn

On the pre-migration Kubernetes / LyftLearn 1.0 stack, Confidant credentials were automatically injected at pod creation via webhooks — user ML code found credentials already present in its environment without doing any fetching.

On the post-migration SageMaker / LyftLearn Compute stack, SageMaker has no equivalent webhook mechanism. The platform team rebuilt credential injection as a container-entrypoint script that fetches Confidant credentials at job startup and exposes them in the exact shape the Kubernetes webhook produced — so user code sees an identical environment on both platforms (Source: sources/2025-11-18-lyft-lyftlearn-evolution-rethinking-ml-platform-architecture).

This is the core of the patterns/runtime-fetched-credentials-and-config pattern applied to secrets specifically.

External

• Project site: https://lyft.github.io/confidant/

Seen in

• sources/2025-11-18-lyft-lyftlearn-evolution-rethinking-ml-platform-architecture

Related

• systems/aws-secrets-manager
• systems/external-secrets-operator
• patterns/runtime-fetched-credentials-and-config
• companies/lyft