Yeah you do, but you compartmentalize that with your orchestration (hence strong ops). With HashiCorp Nomad for example you might setup a parameterized job. When Nomad receives a job to do X for customer Y, it allocates a container with a short lived token. Nomad is the system with the longer living token that lets it generate short lived tokens for short lived workloads, that are themselves containerized to add a layer of security for a compromise. And so on.
Abstract that a little bit; the system that generates the short lived token ideally would not be the same as the system that is using it
I have the feeling that damage control is the only option:
1) Secrets store is on different credentials
2) Decryption key is only known outside of secrets storage
3) There is a maximum number of different credentials that can be queried per day (adjustable over time)