--- id: NK-WP-0007 type: workplan title: Object Storage STS Credential Vending domain: netkingdom repo: net-kingdom status: proposed owner: codex topic_slug: netkingdom planning_priority: high planning_order: 7 created: 2026-05-17 updated: 2026-05-17 depends_on: - NK-WP-0004 - NK-WP-0005 - NK-WP-0006 state_hub_workstream_id: "3cbc81ec-7ad5-46cf-a4a0-fc5fe9873695" --- # NK-WP-0007 - Object Storage STS Credential Vending ## Goal Define and implement the canonical NetKingdom pattern for vending short-lived object-storage credentials from verified identity and policy decisions. The intended runtime shape is: 1. key-cape or Keycloak issues and verifies NetKingdom IAM Profile tokens. 2. flex-auth evaluates whether the subject may receive temporary S3 credentials for a specific bucket, prefix, action set, TTL, and assurance level. 3. A small object-storage credential-vending service exchanges the approved identity for storage-native temporary credentials. 4. Consumers such as artifact-store use temporary credentials without owning the security policy. ## Context Artifact-store needs to consume S3-compatible credentials, but the credential-vending authority belongs to NetKingdom's identity and security architecture. The surrounding ecosystem matters: - key-cape is the lightweight NetKingdom IAM Profile implementation. - Keycloak is the expanded-mode IAM implementation. - Authelia, LLDAP, and privacyIDEA are backing components in the lightweight stack, not object-storage policy owners. - flex-auth owns policy-as-code decisions, resource/action vocabulary, decision envelopes, delegated PDP adapters, and audit semantics. - ops-warden and ops-bridge provide a useful precedent for short-lived credentials and actor attribution, but they are SSH-specific and should not be overloaded with object-storage credentials. - Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2 are candidate object-storage credential issuers. ## Scope In scope: - define the object-storage credential-vending trust model - define resource/action vocabulary for flex-auth - define claim, audience, assurance, actor, tenant, bucket, prefix, action, TTL, revocation, and audit requirements - define lightweight-mode behavior with key-cape plus Authelia, LLDAP, and privacyIDEA - define expanded-mode behavior with Keycloak - compare native STS paths for Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2 - decide whether the vendor is a standalone NetKingdom service, a small controller, or a reusable library plus CLI - create consumer guidance for artifact-store and other S3 clients Out of scope: - implementing artifact-store S3 adapter refresh behavior - deploying the object-storage backend itself - replacing flex-auth with provider-specific bucket policies - putting object-storage policy inside key-cape, ops-warden, or ops-bridge ## Tasks ```task id: NK-WP-0007-T1 status: todo priority: high state_hub_task_id: "3b50c48f-1ab2-4631-b176-d49d9d705f1e" ``` Document the target architecture in `docs/object-storage-sts-credential-vending.md`, including actors, trust boundaries, token flow, policy decision flow, credential lease flow, and failure modes. ```task id: NK-WP-0007-T2 status: todo priority: high state_hub_task_id: "5b942d22-6f29-4975-88fb-e3e5bcaf4029" ``` Define the flex-auth resource/action model for object storage: protected-system id, bucket resources, prefix resources, actions (`s3:GetObject`, `s3:PutObject`, `s3:DeleteObject`, listing, multipart operations), TTL limits, obligations, and deny reasons. ```task id: NK-WP-0007-T3 status: todo priority: high state_hub_task_id: "8d27e5b4-9bbb-4a53-a079-0df1047d755e" ``` Define the IAM Profile requirements for credential vending: accepted issuers, audiences, service-account subjects, human/admin subjects, MFA/assurance claims, emergency principals, and local-dev issuer restrictions. ```task id: NK-WP-0007-T4 status: todo priority: medium state_hub_task_id: "c0c4f297-6cff-419b-9ce3-be5537c92e93" ``` Assess backend STS implementations and write a decision record covering Ceph RGW STS, MinIO/AIStor STS, AWS STS, Cloudflare R2 temporary credentials, and whether OpenBao/Vault should broker any of these directly. ```task id: NK-WP-0007-T5 status: todo priority: medium state_hub_task_id: "ccb10b2d-6378-4824-90b1-c31bd882d93d" ``` Prototype the smallest credential-vending interface: CLI or HTTP request shape, normalized response shape, lease metadata, audit event, and a `credential_process`-compatible option for SDK consumers. ```task id: NK-WP-0007-T6 status: todo priority: medium state_hub_task_id: "63c6859b-980e-44da-a5a6-b92a8a3225dd" ``` Create integration guidance for artifact-store and other consumers: environment variables, `AWS_SESSION_TOKEN`, refresh behavior, sidecar or controller refresh options, and prohibited patterns such as long-lived root access keys. ## Acceptance Criteria - NetKingdom has a canonical, provider-neutral pattern for object-storage STS credential vending. - flex-auth is the policy decision point for bucket/prefix/action/TTL authorization. - key-cape and Keycloak are treated as IAM Profile implementations, not object-storage policy engines. - ops-warden and ops-bridge remain SSH/tunnel-specific but their short-lived credential lessons are reused where appropriate. - artifact-store has enough guidance to consume temporary credentials without owning the vending authority.