# STS Credential Vending Relationship Map Status: draft ## Purpose This relation artifact spells out how the STS credential-vending pattern connects NetKingdom, Railiance, flex-auth, OpenBao, artifact-store, and future tutorials. ## Relationship Summary ```text IAM Profile identifies caller -> flex-auth authorizes tenant/resource/action/TTL -> credential-vending service normalizes backend-specific temporary credential exchange -> OpenBao protects parent material and audit/lease evidence where used -> object-storage backend issues temporary credentials -> artifact-store or other consumer refreshes and uses scoped credentials ``` ## Handoffs | From | To | Handoff | Evidence | | --- | --- | --- | --- | | NetKingdom IAM Profile | credential-vending service | issuer, audience, subject, tenant, assurance claims | token validation test | | credential-vending service | flex-auth | protected system, bucket, prefix, action set, TTL, context | decision envelope | | flex-auth | Topaz | delegated PDP evaluation where used | policy load and decision log | | credential-vending service | OpenBao | parent credential access, broker config, lease/audit metadata | OpenBao audit event | | credential-vending service | backend STS/API | approved temporary credential request | backend response with expiration | | credential-vending service | artifact-store | normalized temporary credentials | `AWS_SESSION_TOKEN` and expiration-aware refresh | | artifact-store | audit sink | workload storage event with correlation id | workload audit record | | pattern catalog | NK-WP-0009 | tutorial candidate | tutorial backlog item | ## Required Edges In The Infospace Graph - STS source docs seed the STS pattern. - STS pattern implements object-storage access capability. - STS pattern uses delegated authorization. - STS pattern uses OpenBao runtime secret authority. - STS pattern requires artifact-store session-token support. - STS pattern feeds NK-WP-0009 tutorial work. ## Open Questions - Which backend is the first live exchange target: MinIO/AIStor, Ceph RGW, AWS, or Cloudflare R2? - Does the first implementation use a standalone service, controller, or CLI plus `credential_process`? - Where does durable cross-system audit correlation land? - Which claim shape should become the IAM Profile minimum for workload object-storage access?