The proposed fix for JENKINS-49235 will cause credential tracking information for cloud agents to be removed as soon as the ephemeral agent is destroyed, making the tracking nearly useless for those agents.

We should track credentials used by ephemeral agents against the cloud that launched them rather than against the agent itself. Unfortunately, there does not currently seem to be a way to associate an agent with the cloud that launched it. The best option that I am aware of is the following:

public static Set<Cloud> getCloudsForNode(Node node) {
    return node.getAssignedLabels().stream()
        .flatMap(l -> l.getClouds().stream())
        .collect(Collectors.toSet());
}

However, if there are multiple clouds that launch for the same label, there is no way to distinguish which one actually launched the node (not counting any plugin-specific code such as EC2AbstractSlave.java#getCloud). Changing that would require a new API in core.

I think it would be better to get precise tracking by implementing a new core API than approximate tracking using the above method, but I do not have a strong opinion.