generated from coulomb/repo-seed
50 lines
2.0 KiB
Markdown
50 lines
2.0 KiB
Markdown
# STS Credential Vending Extraction
|
|
|
|
Status: generated extraction from NetKingdom and Railiance source docs
|
|
|
|
## Extracted Claims
|
|
|
|
1. Object-storage credential vending must be identity-backed and
|
|
policy-approved before backend exchange.
|
|
2. flex-auth is the canonical authorization decision point for bucket,
|
|
prefix, action, TTL, tenant, and assurance decisions.
|
|
3. Provider-native temporary credentials are preferred when mature.
|
|
4. OpenBao may protect parent credentials, broker configuration, leases,
|
|
and audit records, but must not decide object-storage authorization.
|
|
5. Consumers must support session tokens and expiration-aware refresh.
|
|
6. Long-lived static credentials are transitional only.
|
|
7. Tenant administrators must not receive platform-root object-store or
|
|
OpenBao authority.
|
|
|
|
## Extracted Anti-Patterns
|
|
|
|
- object-store root credentials in application pods;
|
|
- access-key/secret-key-only production consumers with no session token;
|
|
- application repos as canonical bucket policy owners;
|
|
- OpenBao used as a substitute for flex-auth decisions;
|
|
- local-identity tokens accepted by production object-storage backends;
|
|
- fallback to root credentials when STS or flex-auth is unavailable.
|
|
|
|
## Extracted Evidence Needs
|
|
|
|
- IAM Profile issuer/audience validation.
|
|
- flex-auth decision record with stable reason codes.
|
|
- backend credential response with session token and expiration.
|
|
- OpenBao audit event where parent material or broker config is used.
|
|
- artifact-store or consumer refresh test.
|
|
- denial tests for wrong tenant, unregistered prefix, and excessive TTL.
|
|
|
|
## Candidate Tutorial
|
|
|
|
Title: Vend temporary S3 credentials from a NetKingdom identity token.
|
|
|
|
Tutorial path:
|
|
|
|
1. issue or obtain an IAM Profile token;
|
|
2. register protected system, bucket, and prefix in flex-auth;
|
|
3. request credentials from the vending service;
|
|
4. observe backend temporary credential response;
|
|
5. configure `artifact-store` or an SDK with session token;
|
|
6. verify refresh and audit correlation;
|
|
7. exercise deny cases.
|