All of this is done for you if you set up Hashicorp Vault. In case someone doesn't know, it provides secrets as a service that allows you to store and retrieve static secrets as well as dynamic secrets. The great thing about it is that you can set up authentication from multiple sources including EC2/GCE instances, LDAP and much more. But it also allows you to generate dynamic secrets including, but not limited to, SSH certs, IAM users, AD users, sql users and much more.
It's Hashicorps most mature tool and should be in everyone's toolchain.
Vault requires a non-trivial amount of setup and configuration, and then you need to configure SSHD to use it. You also have to maintain the vault server, HA, yada yada. And educate people on how to use it.
Vault truly shines in its ability to provide ephemeral credentials. It can even "package" arbitrary secrets for you, and ensure that they are only ever retrieved once.
It's a fantastic piece of software, one that more companies should be using, but it is not a push button deployment. It is borderline impossible to implement in many 'traditional' organizations.
It's Hashicorps most mature tool and should be in everyone's toolchain.