ARTIFACT-STORE-WP-0007 D7.3: STS credential vending assessment for NetKingdom

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 11:15:45 +02:00
parent e1dd365586
commit f4a7b92543
2 changed files with 109 additions and 1 deletions

View File

@@ -137,7 +137,7 @@ Completed 2026-07-02:
```task
id: ARTIFACT-STORE-WP-0007-T003
status: todo
status: done
priority: high
state_hub_task_id: "d3d5c4c1-d3b2-4163-b99d-1b08f90566d1"
```
@@ -152,6 +152,19 @@ Acceptance:
token audience, role/policy mapping, expiration, revocation, audit,
and break-glass behavior.
Completed 2026-07-02: added `docs/sts-credential-vending-assessment.md`,
specializing the NetKingdom baseline (`net-kingdom/docs/object-storage-sts-
credential-vending.md`, NK-WP-0007) for artifact-store. Inventory found no
production-live object-storage credentials yet (artifact-store static-ref
bridge, CNPG backup lane parked pre-provisioning), confirmed key-cape/Keycloak
as viable MinIO `AssumeRoleWithWebIdentity` issuers (Authelia rejected —
no IAM Profile claims; local-identity sandbox-only), and bound the target
architecture: vending-service audience, flex-auth decision vocabulary, 1560
min leases with refresh jitter, audit event shape, and break-glass rules.
Key code finding for D7.4: `S3BackendConfig` lacks `session_token` and the
`aioboto3.Session` omits `aws_session_token`, so STS credentials cannot be
consumed until that lands.
## D7.4 - Artifact-Store Temporary Credential Support
```task