Ensuring the security of static credentials such as passwords, tokens, and API keys is crucial for protecting digital infrastructure from intrusion and misuse, particularly for organizations delivering software at scale. Platform engineers can enhance pipeline security by using OpenID Connect (OIDC) tokens for authentication with a central secrets store, allowing for fine-grained access control through custom OIDC claims. This approach, demonstrated through connecting CircleCI pipelines to HashiCorp Vault, supports role-based access control (RBAC), adhering to the principle of least privilege by restricting access based on tasks or roles. OIDC, built on the OAuth 2.0 protocol, enables temporary access tokens, reducing the risk of exposing long-lived credentials. By implementing RBAC in CI/CD pipelines, organizations can revoke access quickly if suspicious activities are detected, minimizing the blast radius of potential security incidents. Additionally, dynamic secrets provided by Vault offer an advanced security measure by issuing ephemeral secrets that are revoked immediately after use, further securing sensitive resources. This strategy not only strengthens credential management but also enables platform engineers to empower development teams with secure, self-service workflows.