generated from coulomb/repo-seed
2.4 KiB
2.4 KiB
STS Credential Vending Relationship Map
Status: draft
Purpose
This relation artifact spells out how the STS credential-vending pattern connects NetKingdom, Railiance, flex-auth, OpenBao, artifact-store, and future tutorials.
Relationship Summary
IAM Profile
identifies caller
-> flex-auth
authorizes tenant/resource/action/TTL
-> credential-vending service
normalizes backend-specific temporary credential exchange
-> OpenBao
protects parent material and audit/lease evidence where used
-> object-storage backend
issues temporary credentials
-> artifact-store or other consumer
refreshes and uses scoped credentials
Handoffs
| From | To | Handoff | Evidence |
|---|---|---|---|
| NetKingdom IAM Profile | credential-vending service | issuer, audience, subject, tenant, assurance claims | token validation test |
| credential-vending service | flex-auth | protected system, bucket, prefix, action set, TTL, context | decision envelope |
| flex-auth | Topaz | delegated PDP evaluation where used | policy load and decision log |
| credential-vending service | OpenBao | parent credential access, broker config, lease/audit metadata | OpenBao audit event |
| credential-vending service | backend STS/API | approved temporary credential request | backend response with expiration |
| credential-vending service | artifact-store | normalized temporary credentials | AWS_SESSION_TOKEN and expiration-aware refresh |
| artifact-store | audit sink | workload storage event with correlation id | workload audit record |
| pattern catalog | NK-WP-0009 | tutorial candidate | tutorial backlog item |
Required Edges In The Infospace Graph
- STS source docs seed the STS pattern.
- STS pattern implements object-storage access capability.
- STS pattern uses delegated authorization.
- STS pattern uses OpenBao runtime secret authority.
- STS pattern requires artifact-store session-token support.
- STS pattern feeds NK-WP-0009 tutorial work.
Open Questions
- Which backend is the first live exchange target: MinIO/AIStor, Ceph RGW, AWS, or Cloudflare R2?
- Does the first implementation use a standalone service, controller, or
CLI plus
credential_process? - Where does durable cross-system audit correlation land?
- Which claim shape should become the IAM Profile minimum for workload object-storage access?