Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/capability-object-storage-access.md

116 lines
4.4 KiB
Markdown

# Capability: Object Storage Access
Status: draft
Readiness target: RL3 production
Primary owners: NetKingdom, Railiance platform, artifact-store
## Intent
Provide safe object-storage access for platform and tenant workloads
without giving applications long-lived root credentials or making each
application own storage authorization policy.
## Scope
Included:
- identity-backed access requests;
- bucket, prefix, action, tenant, and TTL scoping;
- temporary credentials with session token and expiration;
- audit correlation across identity, authorization, OpenBao, backend,
and workload events;
- transitional static credential bridge where STS is not ready.
Excluded:
- object-storage backend deployment;
- product-specific artifact package semantics;
- replacing flex-auth with provider-specific bucket policy;
- exposing parent object-store credentials to tenant workloads.
## Threats Addressed
- leaked long-lived object-store access keys;
- application repos becoming policy owners for storage access;
- cross-tenant bucket or prefix access;
- workloads using platform-root object-store credentials;
- unaudited access to generated artifacts, backups, reports, and
evidence packages;
- failure to revoke or expire credentials after task completion.
## Required Controls
- IAM Profile token validation for human, service, and agent callers.
- flex-auth decision envelope for protected system, tenant, resource,
action set, TTL, assurance, obligations, and deny reason.
- Provider-native temporary credentials where the backend supports them.
- OpenBao custody for parent credentials, broker configuration, delivery
secrets, and audit records where used.
- Consumer support for `AWS_SESSION_TOKEN` and expiration-aware refresh.
- Durable audit sink and correlation id.
## Implementation Options
| Option | Use when | Notes |
| --- | --- | --- |
| AWS STS `AssumeRoleWithWebIdentity` | AWS-native object storage | Strong native fit; use IAM OIDC provider and role trust policies |
| Ceph RGW STS | self-hosted Ceph object storage | Use when RGW IAM/STS maturity fits deployment risk |
| MinIO/AIStor STS | lightweight or self-hosted S3-compatible storage | Good fit if consumers support session tokens |
| Cloudflare R2 temporary credentials | Cloudflare object storage | Requires backend-specific broker protecting parent credentials |
| Transitional static bridge | before STS support is ready | Store scoped static credentials in OpenBao; rotate and retire quickly |
## Platform Responsibility
- define issuer, audience, tenant, and assurance requirements;
- define flex-auth resource/action vocabulary;
- operate or approve the credential-vending service;
- protect backend parent credentials through OpenBao;
- provide audit retention and break-glass procedure.
## Product Responsibility
- use temporary credentials rather than root/static credentials;
- refresh credentials before expiration;
- include correlation ids in storage operations where possible;
- handle deny and expiration cleanly;
- avoid embedding policy decisions in application code.
## Tenant Responsibility
- request access only to registered tenant resources;
- manage tenant-scoped groups or memberships where delegated;
- review tenant-visible audit events where available.
## Readiness Criteria
| Level | Criteria |
| --- | --- |
| RL1 | static scoped credentials are not committed; object-store root credentials are not used |
| RL2 | tenant/bucket/prefix mapping exists; OpenBao or equivalent custody protects credentials |
| RL3 | temporary credentials, session token support, flex-auth decisions, audit correlation, and refresh behavior are verified |
| RL4 | tenant-visible audit, dual control for platform-scoped access, restore/revocation drills, and standards mapping are complete |
## Evidence
- `docs/object-storage-sts-credential-vending.md`
- `ADR-0008 - Object Storage STS Credential Vending Boundary`
- artifact-store support for `AWS_SESSION_TOKEN`
- OpenBao audit record for broker/parent credential access
- flex-auth decision record with stable reason codes
- backend credential expiration and revocation proof
## Related Patterns
- `pattern-sts-credential-vending.md`
- secret zero avoidance
- delegated authorization
- workload identity
- central audit ledger
## Related Standards
- NIST CSF Protect and Detect functions.
- OWASP API Security broken object-level authorization risk.
- SLSA and artifact integrity patterns where object storage holds release
artifacts or provenance.