Implement NK-WP-0012 IAM profile specification

This commit is contained in:
2026-05-22 14:35:31 +02:00
parent 48cd174b00
commit c3f721397a
12 changed files with 1649 additions and 39 deletions

View File

@@ -184,6 +184,11 @@ TTL policy:
## IAM Profile Requirements
The canonical token contract is NetKingdom IAM Profile v0.2
(`canon/standards/iam-profile_v0.2.md`). The vending service consumes the
profile as normalized identity input and sends resource-specific
authorization questions to flex-auth.
Accepted issuers:
- key-cape lightweight mode for local, sandbox, and small deployments;
@@ -198,10 +203,9 @@ Required token properties:
exchange audience;
- `sub` is stable for the principal;
- `exp`, `nbf`, and `iat` are present and within skew tolerance;
- `tenant` or equivalent tenant mapping is present for tenant-scoped
requests;
- service accounts and agents are distinguishable from humans;
- assurance/MFA claims are present when policy needs them;
- `tenant` is present for every request;
- `principal_type` distinguishes humans, service accounts, and agents;
- `assurance` is present, including MFA evidence where policy needs it;
- groups or roles are mapped through IAM Profile semantics, not
provider-specific bucket policy.