generated from coulomb/repo-seed
ARTIFACT-STORE-WP-0007 D7.3: STS credential vending assessment for NetKingdom
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -137,7 +137,7 @@ Completed 2026-07-02:
|
||||
|
||||
```task
|
||||
id: ARTIFACT-STORE-WP-0007-T003
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "d3d5c4c1-d3b2-4163-b99d-1b08f90566d1"
|
||||
```
|
||||
@@ -152,6 +152,19 @@ Acceptance:
|
||||
token audience, role/policy mapping, expiration, revocation, audit,
|
||||
and break-glass behavior.
|
||||
|
||||
Completed 2026-07-02: added `docs/sts-credential-vending-assessment.md`,
|
||||
specializing the NetKingdom baseline (`net-kingdom/docs/object-storage-sts-
|
||||
credential-vending.md`, NK-WP-0007) for artifact-store. Inventory found no
|
||||
production-live object-storage credentials yet (artifact-store static-ref
|
||||
bridge, CNPG backup lane parked pre-provisioning), confirmed key-cape/Keycloak
|
||||
as viable MinIO `AssumeRoleWithWebIdentity` issuers (Authelia rejected —
|
||||
no IAM Profile claims; local-identity sandbox-only), and bound the target
|
||||
architecture: vending-service audience, flex-auth decision vocabulary, 15–60
|
||||
min leases with refresh jitter, audit event shape, and break-glass rules.
|
||||
Key code finding for D7.4: `S3BackendConfig` lacks `session_token` and the
|
||||
`aioboto3.Session` omits `aws_session_token`, so STS credentials cannot be
|
||||
consumed until that lands.
|
||||
|
||||
## D7.4 - Artifact-Store Temporary Credential Support
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user