This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/generated/sts-credential-vending-extraction.md

50 lines
2.0 KiB
Markdown

# STS Credential Vending Extraction
Status: generated extraction from NetKingdom and Railiance source docs
## Extracted Claims
1. Object-storage credential vending must be identity-backed and
policy-approved before backend exchange.
2. flex-auth is the canonical authorization decision point for bucket,
prefix, action, TTL, tenant, and assurance decisions.
3. Provider-native temporary credentials are preferred when mature.
4. OpenBao may protect parent credentials, broker configuration, leases,
and audit records, but must not decide object-storage authorization.
5. Consumers must support session tokens and expiration-aware refresh.
6. Long-lived static credentials are transitional only.
7. Tenant administrators must not receive platform-root object-store or
OpenBao authority.
## Extracted Anti-Patterns
- object-store root credentials in application pods;
- access-key/secret-key-only production consumers with no session token;
- application repos as canonical bucket policy owners;
- OpenBao used as a substitute for flex-auth decisions;
- local-identity tokens accepted by production object-storage backends;
- fallback to root credentials when STS or flex-auth is unavailable.
## Extracted Evidence Needs
- IAM Profile issuer/audience validation.
- flex-auth decision record with stable reason codes.
- backend credential response with session token and expiration.
- OpenBao audit event where parent material or broker config is used.
- artifact-store or consumer refresh test.
- denial tests for wrong tenant, unregistered prefix, and excessive TTL.
## Candidate Tutorial
Title: Vend temporary S3 credentials from a NetKingdom identity token.
Tutorial path:
1. issue or obtain an IAM Profile token;
2. register protected system, bucket, and prefix in flex-auth;
3. request credentials from the vending service;
4. observe backend temporary credential response;
5. configure `artifact-store` or an SDK with session token;
6. verify refresh and audit correlation;
7. exercise deny cases.