We've also felt the pain for OAuth secrets. Current mandates for us are 6 months.

Because we run on Azure / AKS, switching to federated credentials ("workload identities") with the app registrations made most of the pain go away because MS manages all the rotations (3 months) etc. If you're on managed AKS the OIDC issuer side is also automagic. And it's free. I think GCP offers something similar.

https://learn.microsoft.com/en-us/entra/workload-id/workload...