This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/generated/sts-credential-vending-extraction.md

2.0 KiB

STS Credential Vending Extraction

Status: generated extraction from NetKingdom and Railiance source docs

Extracted Claims

  1. Object-storage credential vending must be identity-backed and policy-approved before backend exchange.
  2. flex-auth is the canonical authorization decision point for bucket, prefix, action, TTL, tenant, and assurance decisions.
  3. Provider-native temporary credentials are preferred when mature.
  4. OpenBao may protect parent credentials, broker configuration, leases, and audit records, but must not decide object-storage authorization.
  5. Consumers must support session tokens and expiration-aware refresh.
  6. Long-lived static credentials are transitional only.
  7. Tenant administrators must not receive platform-root object-store or OpenBao authority.

Extracted Anti-Patterns

  • object-store root credentials in application pods;
  • access-key/secret-key-only production consumers with no session token;
  • application repos as canonical bucket policy owners;
  • OpenBao used as a substitute for flex-auth decisions;
  • local-identity tokens accepted by production object-storage backends;
  • fallback to root credentials when STS or flex-auth is unavailable.

Extracted Evidence Needs

  • IAM Profile issuer/audience validation.
  • flex-auth decision record with stable reason codes.
  • backend credential response with session token and expiration.
  • OpenBao audit event where parent material or broker config is used.
  • artifact-store or consumer refresh test.
  • denial tests for wrong tenant, unregistered prefix, and excessive TTL.

Candidate Tutorial

Title: Vend temporary S3 credentials from a NetKingdom identity token.

Tutorial path:

  1. issue or obtain an IAM Profile token;
  2. register protected system, bucket, and prefix in flex-auth;
  3. request credentials from the vending service;
  4. observe backend temporary credential response;
  5. configure artifact-store or an SDK with session token;
  6. verify refresh and audit correlation;
  7. exercise deny cases.