# STS Credential Vending Extraction Status: generated extraction from NetKingdom and Railiance source docs ## Extracted Claims 1. Object-storage credential vending must be identity-backed and policy-approved before backend exchange. 2. flex-auth is the canonical authorization decision point for bucket, prefix, action, TTL, tenant, and assurance decisions. 3. Provider-native temporary credentials are preferred when mature. 4. OpenBao may protect parent credentials, broker configuration, leases, and audit records, but must not decide object-storage authorization. 5. Consumers must support session tokens and expiration-aware refresh. 6. Long-lived static credentials are transitional only. 7. Tenant administrators must not receive platform-root object-store or OpenBao authority. ## Extracted Anti-Patterns - object-store root credentials in application pods; - access-key/secret-key-only production consumers with no session token; - application repos as canonical bucket policy owners; - OpenBao used as a substitute for flex-auth decisions; - local-identity tokens accepted by production object-storage backends; - fallback to root credentials when STS or flex-auth is unavailable. ## Extracted Evidence Needs - IAM Profile issuer/audience validation. - flex-auth decision record with stable reason codes. - backend credential response with session token and expiration. - OpenBao audit event where parent material or broker config is used. - artifact-store or consumer refresh test. - denial tests for wrong tenant, unregistered prefix, and excessive TTL. ## Candidate Tutorial Title: Vend temporary S3 credentials from a NetKingdom identity token. Tutorial path: 1. issue or obtain an IAM Profile token; 2. register protected system, bucket, and prefix in flex-auth; 3. request credentials from the vending service; 4. observe backend temporary credential response; 5. configure `artifact-store` or an SDK with session token; 6. verify refresh and audit correlation; 7. exercise deny cases.