generated from coulomb/repo-seed
ARTIFACT-STORE-WP-0007 D7.4: STS temporary credential support (session token + refreshable file refs)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -169,7 +169,7 @@ consumed until that lands.
|
||||
|
||||
```task
|
||||
id: ARTIFACT-STORE-WP-0007-T004
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "9b80057a-d86e-4f14-9d14-928ee29f970d"
|
||||
```
|
||||
@@ -184,6 +184,25 @@ Acceptance:
|
||||
- Verify that `artifactstore storage verify --backend s3` can run with
|
||||
temporary credentials.
|
||||
|
||||
Completed 2026-07-02:
|
||||
|
||||
- Decision: in-process refresh uses per-client re-resolution of `file:` refs
|
||||
(sidecar/controller rewrites the mounted files atomically); no long-lived
|
||||
credential state is cached, and values never enter request bodies, events,
|
||||
or config dumps.
|
||||
- Config shape: `S3BackendConfig.session_token` +
|
||||
`ARTIFACTSTORE_S3_SESSION_TOKEN_REF` (env:/file: ref like the existing key
|
||||
refs); `S3Backend` accepts an optional `credentials_provider` returning
|
||||
(access, secret, token) per client.
|
||||
- Live verification against a local MinIO: the smoke's new STS leg mints
|
||||
temporary credentials via `AssumeRole` for a scoped non-root user and
|
||||
passes round-trip/range/multipart with the session token
|
||||
(`make test-minio-local`), and the CLI ran `migrate`/`health`/`storage
|
||||
verify --backend s3` with STS credentials delivered through `file:` refs —
|
||||
backend health `ok` proves a live authenticated `head_bucket`.
|
||||
- `make test` 112 passed / 2 skipped; targeted Ruff clean. Unit tests cover
|
||||
session-token pass-through and per-client provider re-resolution.
|
||||
|
||||
## D7.5 - Follow-Up Workstream Routing
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user