// Make the bad state impossible · lesson 05

Least privilege, or the blast-radius question

When I wired a newsletter into a site recently, the service handed me a default access key that could do everything: add subscribers, send email to the whole list, change account settings, touch billing. I made a new one instead, scoped to a single power, adding subscribers, and nothing else. That's least privilege, and the question that drives it is one you should ask of every credential, every agent, every integration: if this leaks, what's the worst it can do?

The default key could send email to my entire list and reach my billing. Living in a web app's environment, that key is more exposed than almost anything else in the system, and a key that exposed with that much power is a genuinely bad afternoon waiting to happen. The scoped key, if it leaks, can add subscribers. That's the whole downside. Same two minutes to create either one, wildly different blast radius if it ever escapes, and things escape, so you design for the escape, not the hope that it won't.

Why grant the minimum instead of the convenient?

Because permissions you grant are permissions that can be abused, misused, or leaked, and every one you didn't need is pure downside. The convenient move is to grant broad access so you never hit a wall, and it feels efficient right up until the breach, when the difference between "the attacker could add spam subscribers" and "the attacker could email your whole list and drain your account" is entirely a function of how much you handed over. Least privilege isn't paranoia. It's refusing to carry risk that buys you nothing, because the broad key does the same job as the narrow one, right up until the day it does a lot more.

Where this applies beyond keys

Everywhere something acts on your behalf. An agent gets exactly the tools it needs for its task, not the full toolbox, so a confused or compromised agent can only reach what its job required. A service account touches only its own data. A script runs with the narrowest scope that lets it work. The principle is identical across all of them: minimum permission means minimum blast radius, and blast radius is the only thing that matters once something has already gone wrong.

The takeaway: grant the least privilege that does the job, because every permission is a liability if it leaks, and the whole difference between a shrug and a disaster is how much you handed over before it did.