generated from coulomb/repo-seed
116 lines
4.4 KiB
Markdown
116 lines
4.4 KiB
Markdown
# Capability: Object Storage Access
|
|
|
|
Status: draft
|
|
Readiness target: RL3 production
|
|
Primary owners: NetKingdom, Railiance platform, artifact-store
|
|
|
|
## Intent
|
|
|
|
Provide safe object-storage access for platform and tenant workloads
|
|
without giving applications long-lived root credentials or making each
|
|
application own storage authorization policy.
|
|
|
|
## Scope
|
|
|
|
Included:
|
|
|
|
- identity-backed access requests;
|
|
- bucket, prefix, action, tenant, and TTL scoping;
|
|
- temporary credentials with session token and expiration;
|
|
- audit correlation across identity, authorization, OpenBao, backend,
|
|
and workload events;
|
|
- transitional static credential bridge where STS is not ready.
|
|
|
|
Excluded:
|
|
|
|
- object-storage backend deployment;
|
|
- product-specific artifact package semantics;
|
|
- replacing flex-auth with provider-specific bucket policy;
|
|
- exposing parent object-store credentials to tenant workloads.
|
|
|
|
## Threats Addressed
|
|
|
|
- leaked long-lived object-store access keys;
|
|
- application repos becoming policy owners for storage access;
|
|
- cross-tenant bucket or prefix access;
|
|
- workloads using platform-root object-store credentials;
|
|
- unaudited access to generated artifacts, backups, reports, and
|
|
evidence packages;
|
|
- failure to revoke or expire credentials after task completion.
|
|
|
|
## Required Controls
|
|
|
|
- IAM Profile token validation for human, service, and agent callers.
|
|
- flex-auth decision envelope for protected system, tenant, resource,
|
|
action set, TTL, assurance, obligations, and deny reason.
|
|
- Provider-native temporary credentials where the backend supports them.
|
|
- OpenBao custody for parent credentials, broker configuration, delivery
|
|
secrets, and audit records where used.
|
|
- Consumer support for `AWS_SESSION_TOKEN` and expiration-aware refresh.
|
|
- Durable audit sink and correlation id.
|
|
|
|
## Implementation Options
|
|
|
|
| Option | Use when | Notes |
|
|
| --- | --- | --- |
|
|
| AWS STS `AssumeRoleWithWebIdentity` | AWS-native object storage | Strong native fit; use IAM OIDC provider and role trust policies |
|
|
| Ceph RGW STS | self-hosted Ceph object storage | Use when RGW IAM/STS maturity fits deployment risk |
|
|
| MinIO/AIStor STS | lightweight or self-hosted S3-compatible storage | Good fit if consumers support session tokens |
|
|
| Cloudflare R2 temporary credentials | Cloudflare object storage | Requires backend-specific broker protecting parent credentials |
|
|
| Transitional static bridge | before STS support is ready | Store scoped static credentials in OpenBao; rotate and retire quickly |
|
|
|
|
## Platform Responsibility
|
|
|
|
- define issuer, audience, tenant, and assurance requirements;
|
|
- define flex-auth resource/action vocabulary;
|
|
- operate or approve the credential-vending service;
|
|
- protect backend parent credentials through OpenBao;
|
|
- provide audit retention and break-glass procedure.
|
|
|
|
## Product Responsibility
|
|
|
|
- use temporary credentials rather than root/static credentials;
|
|
- refresh credentials before expiration;
|
|
- include correlation ids in storage operations where possible;
|
|
- handle deny and expiration cleanly;
|
|
- avoid embedding policy decisions in application code.
|
|
|
|
## Tenant Responsibility
|
|
|
|
- request access only to registered tenant resources;
|
|
- manage tenant-scoped groups or memberships where delegated;
|
|
- review tenant-visible audit events where available.
|
|
|
|
## Readiness Criteria
|
|
|
|
| Level | Criteria |
|
|
| --- | --- |
|
|
| RL1 | static scoped credentials are not committed; object-store root credentials are not used |
|
|
| RL2 | tenant/bucket/prefix mapping exists; OpenBao or equivalent custody protects credentials |
|
|
| RL3 | temporary credentials, session token support, flex-auth decisions, audit correlation, and refresh behavior are verified |
|
|
| RL4 | tenant-visible audit, dual control for platform-scoped access, restore/revocation drills, and standards mapping are complete |
|
|
|
|
## Evidence
|
|
|
|
- `docs/object-storage-sts-credential-vending.md`
|
|
- `ADR-0008 - Object Storage STS Credential Vending Boundary`
|
|
- artifact-store support for `AWS_SESSION_TOKEN`
|
|
- OpenBao audit record for broker/parent credential access
|
|
- flex-auth decision record with stable reason codes
|
|
- backend credential expiration and revocation proof
|
|
|
|
## Related Patterns
|
|
|
|
- `pattern-sts-credential-vending.md`
|
|
- secret zero avoidance
|
|
- delegated authorization
|
|
- workload identity
|
|
- central audit ledger
|
|
|
|
## Related Standards
|
|
|
|
- NIST CSF Protect and Detect functions.
|
|
- OWASP API Security broken object-level authorization risk.
|
|
- SLSA and artifact integrity patterns where object storage holds release
|
|
artifacts or provenance.
|