This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/relations/sts-credential-vending-relationship-map.md

2.4 KiB

STS Credential Vending Relationship Map

Status: draft

Purpose

This relation artifact spells out how the STS credential-vending pattern connects NetKingdom, Railiance, flex-auth, OpenBao, artifact-store, and future tutorials.

Relationship Summary

IAM Profile
  identifies caller
    -> flex-auth
        authorizes tenant/resource/action/TTL
          -> credential-vending service
              normalizes backend-specific temporary credential exchange
                -> OpenBao
                    protects parent material and audit/lease evidence where used
                -> object-storage backend
                    issues temporary credentials
                -> artifact-store or other consumer
                    refreshes and uses scoped credentials

Handoffs

From To Handoff Evidence
NetKingdom IAM Profile credential-vending service issuer, audience, subject, tenant, assurance claims token validation test
credential-vending service flex-auth protected system, bucket, prefix, action set, TTL, context decision envelope
flex-auth Topaz delegated PDP evaluation where used policy load and decision log
credential-vending service OpenBao parent credential access, broker config, lease/audit metadata OpenBao audit event
credential-vending service backend STS/API approved temporary credential request backend response with expiration
credential-vending service artifact-store normalized temporary credentials AWS_SESSION_TOKEN and expiration-aware refresh
artifact-store audit sink workload storage event with correlation id workload audit record
pattern catalog NK-WP-0009 tutorial candidate tutorial backlog item

Required Edges In The Infospace Graph

  • STS source docs seed the STS pattern.
  • STS pattern implements object-storage access capability.
  • STS pattern uses delegated authorization.
  • STS pattern uses OpenBao runtime secret authority.
  • STS pattern requires artifact-store session-token support.
  • STS pattern feeds NK-WP-0009 tutorial work.

Open Questions

  • Which backend is the first live exchange target: MinIO/AIStor, Ceph RGW, AWS, or Cloudflare R2?
  • Does the first implementation use a standalone service, controller, or CLI plus credential_process?
  • Where does durable cross-system audit correlation land?
  • Which claim shape should become the IAM Profile minimum for workload object-storage access?