generated from coulomb/repo-seed
Implement NK-WP-0012 IAM profile specification
This commit is contained in:
@@ -184,6 +184,11 @@ TTL policy:
|
||||
|
||||
## IAM Profile Requirements
|
||||
|
||||
The canonical token contract is NetKingdom IAM Profile v0.2
|
||||
(`canon/standards/iam-profile_v0.2.md`). The vending service consumes the
|
||||
profile as normalized identity input and sends resource-specific
|
||||
authorization questions to flex-auth.
|
||||
|
||||
Accepted issuers:
|
||||
|
||||
- key-cape lightweight mode for local, sandbox, and small deployments;
|
||||
@@ -198,10 +203,9 @@ Required token properties:
|
||||
exchange audience;
|
||||
- `sub` is stable for the principal;
|
||||
- `exp`, `nbf`, and `iat` are present and within skew tolerance;
|
||||
- `tenant` or equivalent tenant mapping is present for tenant-scoped
|
||||
requests;
|
||||
- service accounts and agents are distinguishable from humans;
|
||||
- assurance/MFA claims are present when policy needs them;
|
||||
- `tenant` is present for every request;
|
||||
- `principal_type` distinguishes humans, service accounts, and agents;
|
||||
- `assurance` is present, including MFA evidence where policy needs it;
|
||||
- groups or roles are mapped through IAM Profile semantics, not
|
||||
provider-specific bucket policy.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user