generated from coulomb/repo-seed
4.4 KiB
4.4 KiB
Capability: Object Storage Access
Status: draft Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform, artifact-store
Intent
Provide safe object-storage access for platform and tenant workloads without giving applications long-lived root credentials or making each application own storage authorization policy.
Scope
Included:
- identity-backed access requests;
- bucket, prefix, action, tenant, and TTL scoping;
- temporary credentials with session token and expiration;
- audit correlation across identity, authorization, OpenBao, backend, and workload events;
- transitional static credential bridge where STS is not ready.
Excluded:
- object-storage backend deployment;
- product-specific artifact package semantics;
- replacing flex-auth with provider-specific bucket policy;
- exposing parent object-store credentials to tenant workloads.
Threats Addressed
- leaked long-lived object-store access keys;
- application repos becoming policy owners for storage access;
- cross-tenant bucket or prefix access;
- workloads using platform-root object-store credentials;
- unaudited access to generated artifacts, backups, reports, and evidence packages;
- failure to revoke or expire credentials after task completion.
Required Controls
- IAM Profile token validation for human, service, and agent callers.
- flex-auth decision envelope for protected system, tenant, resource, action set, TTL, assurance, obligations, and deny reason.
- Provider-native temporary credentials where the backend supports them.
- OpenBao custody for parent credentials, broker configuration, delivery secrets, and audit records where used.
- Consumer support for
AWS_SESSION_TOKENand expiration-aware refresh. - Durable audit sink and correlation id.
Implementation Options
| Option | Use when | Notes |
|---|---|---|
AWS STS AssumeRoleWithWebIdentity |
AWS-native object storage | Strong native fit; use IAM OIDC provider and role trust policies |
| Ceph RGW STS | self-hosted Ceph object storage | Use when RGW IAM/STS maturity fits deployment risk |
| MinIO/AIStor STS | lightweight or self-hosted S3-compatible storage | Good fit if consumers support session tokens |
| Cloudflare R2 temporary credentials | Cloudflare object storage | Requires backend-specific broker protecting parent credentials |
| Transitional static bridge | before STS support is ready | Store scoped static credentials in OpenBao; rotate and retire quickly |
Platform Responsibility
- define issuer, audience, tenant, and assurance requirements;
- define flex-auth resource/action vocabulary;
- operate or approve the credential-vending service;
- protect backend parent credentials through OpenBao;
- provide audit retention and break-glass procedure.
Product Responsibility
- use temporary credentials rather than root/static credentials;
- refresh credentials before expiration;
- include correlation ids in storage operations where possible;
- handle deny and expiration cleanly;
- avoid embedding policy decisions in application code.
Tenant Responsibility
- request access only to registered tenant resources;
- manage tenant-scoped groups or memberships where delegated;
- review tenant-visible audit events where available.
Readiness Criteria
| Level | Criteria |
|---|---|
| RL1 | static scoped credentials are not committed; object-store root credentials are not used |
| RL2 | tenant/bucket/prefix mapping exists; OpenBao or equivalent custody protects credentials |
| RL3 | temporary credentials, session token support, flex-auth decisions, audit correlation, and refresh behavior are verified |
| RL4 | tenant-visible audit, dual control for platform-scoped access, restore/revocation drills, and standards mapping are complete |
Evidence
docs/object-storage-sts-credential-vending.mdADR-0008 - Object Storage STS Credential Vending Boundary- artifact-store support for
AWS_SESSION_TOKEN - OpenBao audit record for broker/parent credential access
- flex-auth decision record with stable reason codes
- backend credential expiration and revocation proof
Related Patterns
pattern-sts-credential-vending.md- secret zero avoidance
- delegated authorization
- workload identity
- central audit ledger
Related Standards
- NIST CSF Protect and Detect functions.
- OWASP API Security broken object-level authorization risk.
- SLSA and artifact integrity patterns where object storage holds release artifacts or provenance.