generated from coulomb/repo-seed
2.0 KiB
2.0 KiB
STS Credential Vending Extraction
Status: generated extraction from NetKingdom and Railiance source docs
Extracted Claims
- Object-storage credential vending must be identity-backed and policy-approved before backend exchange.
- flex-auth is the canonical authorization decision point for bucket, prefix, action, TTL, tenant, and assurance decisions.
- Provider-native temporary credentials are preferred when mature.
- OpenBao may protect parent credentials, broker configuration, leases, and audit records, but must not decide object-storage authorization.
- Consumers must support session tokens and expiration-aware refresh.
- Long-lived static credentials are transitional only.
- Tenant administrators must not receive platform-root object-store or OpenBao authority.
Extracted Anti-Patterns
- object-store root credentials in application pods;
- access-key/secret-key-only production consumers with no session token;
- application repos as canonical bucket policy owners;
- OpenBao used as a substitute for flex-auth decisions;
- local-identity tokens accepted by production object-storage backends;
- fallback to root credentials when STS or flex-auth is unavailable.
Extracted Evidence Needs
- IAM Profile issuer/audience validation.
- flex-auth decision record with stable reason codes.
- backend credential response with session token and expiration.
- OpenBao audit event where parent material or broker config is used.
- artifact-store or consumer refresh test.
- denial tests for wrong tenant, unregistered prefix, and excessive TTL.
Candidate Tutorial
Title: Vend temporary S3 credentials from a NetKingdom identity token.
Tutorial path:
- issue or obtain an IAM Profile token;
- register protected system, bucket, and prefix in flex-auth;
- request credentials from the vending service;
- observe backend temporary credential response;
- configure
artifact-storeor an SDK with session token; - verify refresh and audit correlation;
- exercise deny cases.