generated from coulomb/repo-seed
59 lines
2.4 KiB
Markdown
59 lines
2.4 KiB
Markdown
# STS Credential Vending Relationship Map
|
|
|
|
Status: draft
|
|
|
|
## Purpose
|
|
|
|
This relation artifact spells out how the STS credential-vending pattern
|
|
connects NetKingdom, Railiance, flex-auth, OpenBao, artifact-store, and
|
|
future tutorials.
|
|
|
|
## Relationship Summary
|
|
|
|
```text
|
|
IAM Profile
|
|
identifies caller
|
|
-> flex-auth
|
|
authorizes tenant/resource/action/TTL
|
|
-> credential-vending service
|
|
normalizes backend-specific temporary credential exchange
|
|
-> OpenBao
|
|
protects parent material and audit/lease evidence where used
|
|
-> object-storage backend
|
|
issues temporary credentials
|
|
-> artifact-store or other consumer
|
|
refreshes and uses scoped credentials
|
|
```
|
|
|
|
## Handoffs
|
|
|
|
| From | To | Handoff | Evidence |
|
|
| --- | --- | --- | --- |
|
|
| NetKingdom IAM Profile | credential-vending service | issuer, audience, subject, tenant, assurance claims | token validation test |
|
|
| credential-vending service | flex-auth | protected system, bucket, prefix, action set, TTL, context | decision envelope |
|
|
| flex-auth | Topaz | delegated PDP evaluation where used | policy load and decision log |
|
|
| credential-vending service | OpenBao | parent credential access, broker config, lease/audit metadata | OpenBao audit event |
|
|
| credential-vending service | backend STS/API | approved temporary credential request | backend response with expiration |
|
|
| credential-vending service | artifact-store | normalized temporary credentials | `AWS_SESSION_TOKEN` and expiration-aware refresh |
|
|
| artifact-store | audit sink | workload storage event with correlation id | workload audit record |
|
|
| pattern catalog | NK-WP-0009 | tutorial candidate | tutorial backlog item |
|
|
|
|
## Required Edges In The Infospace Graph
|
|
|
|
- STS source docs seed the STS pattern.
|
|
- STS pattern implements object-storage access capability.
|
|
- STS pattern uses delegated authorization.
|
|
- STS pattern uses OpenBao runtime secret authority.
|
|
- STS pattern requires artifact-store session-token support.
|
|
- STS pattern feeds NK-WP-0009 tutorial work.
|
|
|
|
## Open Questions
|
|
|
|
- Which backend is the first live exchange target: MinIO/AIStor, Ceph
|
|
RGW, AWS, or Cloudflare R2?
|
|
- Does the first implementation use a standalone service, controller, or
|
|
CLI plus `credential_process`?
|
|
- Where does durable cross-system audit correlation land?
|
|
- Which claim shape should become the IAM Profile minimum for workload
|
|
object-storage access?
|