Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/capability-object-storage-access.md

4.4 KiB

Capability: Object Storage Access

Status: draft Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform, artifact-store

Intent

Provide safe object-storage access for platform and tenant workloads without giving applications long-lived root credentials or making each application own storage authorization policy.

Scope

Included:

  • identity-backed access requests;
  • bucket, prefix, action, tenant, and TTL scoping;
  • temporary credentials with session token and expiration;
  • audit correlation across identity, authorization, OpenBao, backend, and workload events;
  • transitional static credential bridge where STS is not ready.

Excluded:

  • object-storage backend deployment;
  • product-specific artifact package semantics;
  • replacing flex-auth with provider-specific bucket policy;
  • exposing parent object-store credentials to tenant workloads.

Threats Addressed

  • leaked long-lived object-store access keys;
  • application repos becoming policy owners for storage access;
  • cross-tenant bucket or prefix access;
  • workloads using platform-root object-store credentials;
  • unaudited access to generated artifacts, backups, reports, and evidence packages;
  • failure to revoke or expire credentials after task completion.

Required Controls

  • IAM Profile token validation for human, service, and agent callers.
  • flex-auth decision envelope for protected system, tenant, resource, action set, TTL, assurance, obligations, and deny reason.
  • Provider-native temporary credentials where the backend supports them.
  • OpenBao custody for parent credentials, broker configuration, delivery secrets, and audit records where used.
  • Consumer support for AWS_SESSION_TOKEN and expiration-aware refresh.
  • Durable audit sink and correlation id.

Implementation Options

Option Use when Notes
AWS STS AssumeRoleWithWebIdentity AWS-native object storage Strong native fit; use IAM OIDC provider and role trust policies
Ceph RGW STS self-hosted Ceph object storage Use when RGW IAM/STS maturity fits deployment risk
MinIO/AIStor STS lightweight or self-hosted S3-compatible storage Good fit if consumers support session tokens
Cloudflare R2 temporary credentials Cloudflare object storage Requires backend-specific broker protecting parent credentials
Transitional static bridge before STS support is ready Store scoped static credentials in OpenBao; rotate and retire quickly

Platform Responsibility

  • define issuer, audience, tenant, and assurance requirements;
  • define flex-auth resource/action vocabulary;
  • operate or approve the credential-vending service;
  • protect backend parent credentials through OpenBao;
  • provide audit retention and break-glass procedure.

Product Responsibility

  • use temporary credentials rather than root/static credentials;
  • refresh credentials before expiration;
  • include correlation ids in storage operations where possible;
  • handle deny and expiration cleanly;
  • avoid embedding policy decisions in application code.

Tenant Responsibility

  • request access only to registered tenant resources;
  • manage tenant-scoped groups or memberships where delegated;
  • review tenant-visible audit events where available.

Readiness Criteria

Level Criteria
RL1 static scoped credentials are not committed; object-store root credentials are not used
RL2 tenant/bucket/prefix mapping exists; OpenBao or equivalent custody protects credentials
RL3 temporary credentials, session token support, flex-auth decisions, audit correlation, and refresh behavior are verified
RL4 tenant-visible audit, dual control for platform-scoped access, restore/revocation drills, and standards mapping are complete

Evidence

  • docs/object-storage-sts-credential-vending.md
  • ADR-0008 - Object Storage STS Credential Vending Boundary
  • artifact-store support for AWS_SESSION_TOKEN
  • OpenBao audit record for broker/parent credential access
  • flex-auth decision record with stable reason codes
  • backend credential expiration and revocation proof
  • pattern-sts-credential-vending.md
  • secret zero avoidance
  • delegated authorization
  • workload identity
  • central audit ledger
  • NIST CSF Protect and Detect functions.
  • OWASP API Security broken object-level authorization risk.
  • SLSA and artifact integrity patterns where object storage holds release artifacts or provenance.