4.3 KiB
Pattern: STS Credential Vending
Status: reviewed Readiness target: RL3 production Primary owners: NetKingdom, flex-auth, Railiance platform
Problem
Applications need object-storage access, but long-lived access keys in application pods, repositories, or tenant namespaces create a durable compromise path. Provider-specific bucket policy alone is not enough for NetKingdom because access decisions must include identity, tenant, resource, action, TTL, assurance, and audit context.
Context
Use this pattern when a workload, service, agent, or human needs
temporary access to S3-compatible object storage. The first target
consumer is artifact-store, but the pattern is intended for any
NetKingdom-enabled platform or tenant workload.
The pattern applies across AWS S3, Ceph RGW, MinIO/AIStor, Cloudflare R2, and OpenBao-assisted broker paths.
Forces
- Provider-native STS gives strong backend expiration semantics, but providers differ in API shape and OIDC support.
- Applications need a simple credential contract, but security decisions require rich context.
- OpenBao can protect parent credentials and audit broker operations, but must not become the authorization policy engine.
- Tenant administrators need self-service within tenant scope, but must not receive platform-root object-store or OpenBao authority.
- Temporary credentials reduce blast radius, but consumers must refresh safely and support session tokens.
Solution
Introduce a credential-vending service that accepts a NetKingdom IAM Profile token or workload identity, asks flex-auth for an authorization decision, and exchanges approved requests for provider-native temporary credentials or an OpenBao-assisted broker path.
The consumer receives normalized credentials:
access key id
secret access key
session token
expiration
scope metadata
decision/audit correlation id
Implementation Sketch
- Caller authenticates through key-cape or Keycloak.
- Credential-vending service validates issuer, audience, subject, tenant, expiration, and assurance evidence.
- Service builds a flex-auth request with protected-system id, bucket, prefix/object, actions, TTL, actor, tenant, and context.
- flex-auth evaluates policy, delegated to Topaz where appropriate.
- Deny returns a stable reason code and audit id.
- Allow invokes backend exchange:
- AWS STS
AssumeRoleWithWebIdentity; - Ceph RGW STS;
- MinIO/AIStor STS;
- Cloudflare R2 temporary credential API;
- OpenBao-assisted broker path for protected parent material.
- AWS STS
- Service records identity, policy, backend, lease, and audit metadata.
- Consumer refreshes before expiration.
Failure Modes
| Failure | Mitigation |
|---|---|
Consumer lacks AWS_SESSION_TOKEN support |
keep static bridge only as transitional; add session token refs |
| flex-auth unavailable | fail closed except documented emergency platform workflows |
| OpenBao unavailable | fail if parent material or broker config is required |
| Backend STS unavailable | return retryable backend error; do not fall back to root credentials |
| Tenant mismatch | deny with stable reason code |
| TTL too long | reduce to policy maximum or deny |
| Audit sink unavailable | deny privileged/platform-scoped requests; buffer only if policy permits |
Related Capabilities
- Object storage access.
- Authorization and access control.
- Secrets, keys, and credentials.
- Tenant isolation.
- Observability, detection, and audit.
Maturity
Reviewed. The pattern has architecture and ADR coverage in NetKingdom. It should not be marked canonical until artifact-store temporary session token support and at least one backend exchange path are verified.
Verification
- IAM Profile validation rejects wrong issuer or audience.
- flex-auth decision includes tenant, protected system, bucket/prefix, action set, TTL, obligations, and deny reason.
- Backend returns access key id, secret access key, session token, and expiration.
- OpenBao audit record exists when parent material or broker config is accessed.
- Consumer refreshes before expiration.
- Deny paths emit stable reason codes.
References
- NetKingdom
docs/object-storage-sts-credential-vending.md. - NetKingdom
ADR-0008 - Object Storage STS Credential Vending Boundary. - Railiance Platform
docs/openbao.md. - Artifact-store
ARTIFACT-STORE-WP-0007.