This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/relations/sts-credential-vending-relationship-map.md

59 lines
2.4 KiB
Markdown

# STS Credential Vending Relationship Map
Status: draft
## Purpose
This relation artifact spells out how the STS credential-vending pattern
connects NetKingdom, Railiance, flex-auth, OpenBao, artifact-store, and
future tutorials.
## Relationship Summary
```text
IAM Profile
identifies caller
-> flex-auth
authorizes tenant/resource/action/TTL
-> credential-vending service
normalizes backend-specific temporary credential exchange
-> OpenBao
protects parent material and audit/lease evidence where used
-> object-storage backend
issues temporary credentials
-> artifact-store or other consumer
refreshes and uses scoped credentials
```
## Handoffs
| From | To | Handoff | Evidence |
| --- | --- | --- | --- |
| NetKingdom IAM Profile | credential-vending service | issuer, audience, subject, tenant, assurance claims | token validation test |
| credential-vending service | flex-auth | protected system, bucket, prefix, action set, TTL, context | decision envelope |
| flex-auth | Topaz | delegated PDP evaluation where used | policy load and decision log |
| credential-vending service | OpenBao | parent credential access, broker config, lease/audit metadata | OpenBao audit event |
| credential-vending service | backend STS/API | approved temporary credential request | backend response with expiration |
| credential-vending service | artifact-store | normalized temporary credentials | `AWS_SESSION_TOKEN` and expiration-aware refresh |
| artifact-store | audit sink | workload storage event with correlation id | workload audit record |
| pattern catalog | NK-WP-0009 | tutorial candidate | tutorial backlog item |
## Required Edges In The Infospace Graph
- STS source docs seed the STS pattern.
- STS pattern implements object-storage access capability.
- STS pattern uses delegated authorization.
- STS pattern uses OpenBao runtime secret authority.
- STS pattern requires artifact-store session-token support.
- STS pattern feeds NK-WP-0009 tutorial work.
## Open Questions
- Which backend is the first live exchange target: MinIO/AIStor, Ceph
RGW, AWS, or Cloudflare R2?
- Does the first implementation use a standalone service, controller, or
CLI plus `credential_process`?
- Where does durable cross-system audit correlation land?
- Which claim shape should become the IAM Profile minimum for workload
object-storage access?