net-kingdom/workplans/NK-WP-0007-object-storage-sts-credential-vending.md

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on, state_hub_workstream_id

id	type	title	domain	repo	status	owner	topic_slug	planning_priority	planning_order	created	updated	depends_on	state_hub_workstream_id
NK-WP-0007	workplan	Object Storage STS Credential Vending	netkingdom	net-kingdom	done	codex	netkingdom	high	7	2026-05-17	2026-05-18	NK-WP-0004 NK-WP-0005 NK-WP-0006	3cbc81ec-7ad5-46cf-a4a0-fc5fe9873695

NK-WP-0007 - Object Storage STS Credential Vending

Goal

Define and implement the canonical NetKingdom pattern for vending short-lived object-storage credentials from verified identity and policy decisions.

The intended runtime shape is:

1. key-cape or Keycloak issues and verifies NetKingdom IAM Profile tokens.
2. flex-auth evaluates whether the subject may receive temporary S3 credentials for a specific bucket, prefix, action set, TTL, and assurance level.
3. A small object-storage credential-vending service exchanges the approved identity for storage-native temporary credentials.
4. Consumers such as artifact-store use temporary credentials without owning the security policy.

Context

Artifact-store needs to consume S3-compatible credentials, but the credential-vending authority belongs to NetKingdom's identity and security architecture. The surrounding ecosystem matters:

• key-cape is the lightweight NetKingdom IAM Profile implementation.
• Keycloak is the expanded-mode IAM implementation.
• Authelia, LLDAP, and privacyIDEA are backing components in the lightweight stack, not object-storage policy owners.
• flex-auth owns policy-as-code decisions, resource/action vocabulary, decision envelopes, delegated PDP adapters, and audit semantics.
• OpenBao is now part of the platform stack as the runtime secret authority, dynamic credential broker where appropriate, and audit source for secret access. It can broker or store credential material, but it does not replace flex-auth authorization or provider-native STS semantics.
• ops-warden and ops-bridge provide a useful precedent for short-lived credentials and actor attribution, but they are SSH-specific and should not be overloaded with object-storage credentials.
• Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2 are candidate object-storage credential issuers.

Scope

In scope:

• define the object-storage credential-vending trust model
• define resource/action vocabulary for flex-auth
• define claim, audience, assurance, actor, tenant, bucket, prefix, action, TTL, revocation, and audit requirements
• define lightweight-mode behavior with key-cape plus Authelia, LLDAP, and privacyIDEA
• define expanded-mode behavior with Keycloak
• compare native STS paths for Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2
• decide whether the vendor is a standalone NetKingdom service, a small controller, or a reusable library plus CLI
• create consumer guidance for artifact-store and other S3 clients

Out of scope:

• implementing artifact-store S3 adapter refresh behavior
• deploying the object-storage backend itself
• replacing flex-auth with provider-specific bucket policies
• putting object-storage policy inside key-cape, ops-warden, or ops-bridge
• letting OpenBao root/admin authority become the object-storage policy model

Recursive Platform Implications

This workplan depends on NK-WP-0006, so object-storage credential vending must honor the platform/tenant split:

• tenant:platform may administer the vending service, OpenBao mounts, storage backends, policy import pipeline, and audit retention.
• tenant:coulomb and future tenants may request scoped credentials only for registered tenant resources.
• flex-auth decision envelopes must include tenant id, protected-system id, bucket or prefix, action set, TTL, assurance evidence, obligations, deny reasons, and audit correlation ids.
• CARING descriptors must mark whether a request is platform-scoped or tenant-scoped; platform-scoped descriptor use is rare, reviewed, and auditable.
• Topaz is the first delegated PDP runtime behind flex-auth. Its data and policy loading must not give a tenant administrator control over platform policies.
• OpenBao may broker, lease, audit, or store temporary credential material after flex-auth approval. OpenBao must not become the source of object-storage authorization policy, and tenants must not receive OpenBao root tokens, unseal/recovery material, platform mounts, or global auth-method control.

Tasks

id: NK-WP-0007-T1
status: done
priority: high
state_hub_task_id: "3b50c48f-1ab2-4631-b176-d49d9d705f1e"

Document the target architecture in docs/object-storage-sts-credential-vending.md, including actors, trust boundaries, token flow, policy decision flow, credential lease flow, and failure modes.

id: NK-WP-0007-T2
status: done
priority: high
state_hub_task_id: "5b942d22-6f29-4975-88fb-e3e5bcaf4029"

Define the flex-auth resource/action model for object storage: protected-system id, bucket resources, prefix resources, actions (s3:GetObject, s3:PutObject, s3:DeleteObject, listing, multipart operations), TTL limits, obligations, and deny reasons.

id: NK-WP-0007-T3
status: done
priority: high
state_hub_task_id: "8d27e5b4-9bbb-4a53-a079-0df1047d755e"

Define the IAM Profile requirements for credential vending: accepted issuers, audiences, service-account subjects, human/admin subjects, MFA/assurance claims, emergency principals, and local-dev issuer restrictions.

id: NK-WP-0007-T4
status: done
priority: medium
state_hub_task_id: "c0c4f297-6cff-419b-9ce3-be5537c92e93"

Assess backend STS implementations and write a decision record covering Ceph RGW STS, MinIO/AIStor STS, AWS STS, Cloudflare R2 temporary credentials, and when OpenBao should broker, lease, audit, or store the resulting credential material.

id: NK-WP-0007-T5
status: done
priority: medium
state_hub_task_id: "ccb10b2d-6378-4824-90b1-c31bd882d93d"

Prototype the smallest credential-vending interface: CLI or HTTP request shape, normalized response shape, lease metadata, audit event, OpenBao lease/audit metadata where used, and a credential_process-compatible option for SDK consumers.

id: NK-WP-0007-T6
status: done
priority: medium
state_hub_task_id: "63c6859b-980e-44da-a5a6-b92a8a3225dd"

Create integration guidance for artifact-store and other consumers: environment variables, AWS_SESSION_TOKEN, refresh behavior, sidecar or controller refresh options, and prohibited patterns such as long-lived root access keys.

Implementation Review - 2026-05-18

Implemented as architecture and decision artifacts:

• docs/object-storage-sts-credential-vending.md defines the target architecture, actors, trust boundaries, token flow, flex-auth vocabulary, IAM Profile requirements, backend assessment, OpenBao role, request/response prototype, audit event, failure modes, and consumer guidance.
• docs/adr/ADR-0008-object-storage-sts-credential-vending.md records the decision to use a provider-neutral NetKingdom vending boundary with provider-native temporary credential mechanisms where possible.

The implementation deliberately stops before building a live vending service. Service implementation belongs in a follow-up workplan once artifact-store has session-token/refresh support and the Railiance OpenBao bootstrap/unseal/break-glass work is ready.

Acceptance Criteria

• NetKingdom has a canonical, provider-neutral pattern for object-storage STS credential vending.
• flex-auth is the policy decision point for bucket/prefix/action/TTL authorization.
• OpenBao is treated as runtime secret/lease infrastructure where useful, not as the canonical authorization policy engine.
• key-cape and Keycloak are treated as IAM Profile implementations, not object-storage policy engines.
• ops-warden and ops-bridge remain SSH/tunnel-specific but their short-lived credential lessons are reused where appropriate.
• artifact-store has enough guidance to consume temporary credentials without owning the vending authority.