ARTIFACT-STORE-WP-0007 D7.4: STS temporary credential support (session token + refreshable file refs)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 11:23:44 +02:00
parent 68a5ff0ba2
commit 8fbce69475
8 changed files with 170 additions and 14 deletions

View File

@@ -169,7 +169,7 @@ consumed until that lands.
```task
id: ARTIFACT-STORE-WP-0007-T004
status: todo
status: done
priority: medium
state_hub_task_id: "9b80057a-d86e-4f14-9d14-928ee29f970d"
```
@@ -184,6 +184,25 @@ Acceptance:
- Verify that `artifactstore storage verify --backend s3` can run with
temporary credentials.
Completed 2026-07-02:
- Decision: in-process refresh uses per-client re-resolution of `file:` refs
(sidecar/controller rewrites the mounted files atomically); no long-lived
credential state is cached, and values never enter request bodies, events,
or config dumps.
- Config shape: `S3BackendConfig.session_token` +
`ARTIFACTSTORE_S3_SESSION_TOKEN_REF` (env:/file: ref like the existing key
refs); `S3Backend` accepts an optional `credentials_provider` returning
(access, secret, token) per client.
- Live verification against a local MinIO: the smoke's new STS leg mints
temporary credentials via `AssumeRole` for a scoped non-root user and
passes round-trip/range/multipart with the session token
(`make test-minio-local`), and the CLI ran `migrate`/`health`/`storage
verify --backend s3` with STS credentials delivered through `file:` refs —
backend health `ok` proves a live authenticated `head_bucket`.
- `make test` 112 passed / 2 skipped; targeted Ruff clean. Unit tests cover
session-token pass-through and per-client provider re-resolution.
## D7.5 - Follow-Up Workstream Routing
```task