This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-sts-credential-vending.md

4.3 KiB

Pattern: STS Credential Vending

Status: reviewed Readiness target: RL3 production Primary owners: NetKingdom, flex-auth, Railiance platform

Problem

Applications need object-storage access, but long-lived access keys in application pods, repositories, or tenant namespaces create a durable compromise path. Provider-specific bucket policy alone is not enough for NetKingdom because access decisions must include identity, tenant, resource, action, TTL, assurance, and audit context.

Context

Use this pattern when a workload, service, agent, or human needs temporary access to S3-compatible object storage. The first target consumer is artifact-store, but the pattern is intended for any NetKingdom-enabled platform or tenant workload.

The pattern applies across AWS S3, Ceph RGW, MinIO/AIStor, Cloudflare R2, and OpenBao-assisted broker paths.

Forces

  • Provider-native STS gives strong backend expiration semantics, but providers differ in API shape and OIDC support.
  • Applications need a simple credential contract, but security decisions require rich context.
  • OpenBao can protect parent credentials and audit broker operations, but must not become the authorization policy engine.
  • Tenant administrators need self-service within tenant scope, but must not receive platform-root object-store or OpenBao authority.
  • Temporary credentials reduce blast radius, but consumers must refresh safely and support session tokens.

Solution

Introduce a credential-vending service that accepts a NetKingdom IAM Profile token or workload identity, asks flex-auth for an authorization decision, and exchanges approved requests for provider-native temporary credentials or an OpenBao-assisted broker path.

The consumer receives normalized credentials:

access key id
secret access key
session token
expiration
scope metadata
decision/audit correlation id

Implementation Sketch

  1. Caller authenticates through key-cape or Keycloak.
  2. Credential-vending service validates issuer, audience, subject, tenant, expiration, and assurance evidence.
  3. Service builds a flex-auth request with protected-system id, bucket, prefix/object, actions, TTL, actor, tenant, and context.
  4. flex-auth evaluates policy, delegated to Topaz where appropriate.
  5. Deny returns a stable reason code and audit id.
  6. Allow invokes backend exchange:
    • AWS STS AssumeRoleWithWebIdentity;
    • Ceph RGW STS;
    • MinIO/AIStor STS;
    • Cloudflare R2 temporary credential API;
    • OpenBao-assisted broker path for protected parent material.
  7. Service records identity, policy, backend, lease, and audit metadata.
  8. Consumer refreshes before expiration.

Failure Modes

Failure Mitigation
Consumer lacks AWS_SESSION_TOKEN support keep static bridge only as transitional; add session token refs
flex-auth unavailable fail closed except documented emergency platform workflows
OpenBao unavailable fail if parent material or broker config is required
Backend STS unavailable return retryable backend error; do not fall back to root credentials
Tenant mismatch deny with stable reason code
TTL too long reduce to policy maximum or deny
Audit sink unavailable deny privileged/platform-scoped requests; buffer only if policy permits
  • Object storage access.
  • Authorization and access control.
  • Secrets, keys, and credentials.
  • Tenant isolation.
  • Observability, detection, and audit.

Maturity

Reviewed. The pattern has architecture and ADR coverage in NetKingdom. It should not be marked canonical until artifact-store temporary session token support and at least one backend exchange path are verified.

Verification

  • IAM Profile validation rejects wrong issuer or audience.
  • flex-auth decision includes tenant, protected system, bucket/prefix, action set, TTL, obligations, and deny reason.
  • Backend returns access key id, secret access key, session token, and expiration.
  • OpenBao audit record exists when parent material or broker config is accessed.
  • Consumer refreshes before expiration.
  • Deny paths emit stable reason codes.

References

  • NetKingdom docs/object-storage-sts-credential-vending.md.
  • NetKingdom ADR-0008 - Object Storage STS Credential Vending Boundary.
  • Railiance Platform docs/openbao.md.
  • Artifact-store ARTIFACT-STORE-WP-0007.