net-kingdom/workplans/NK-WP-0007-object-storage-sts-credential-vending.md

---
id: NK-WP-0007
type: workplan
title: Object Storage STS Credential Vending
domain: netkingdom
repo: net-kingdom
status: done
owner: codex
topic_slug: netkingdom
planning_priority: high
planning_order: 7
created: 2026-05-17
updated: 2026-05-18
depends_on:
  - NK-WP-0004
  - NK-WP-0005
  - NK-WP-0006
state_hub_workstream_id: "3cbc81ec-7ad5-46cf-a4a0-fc5fe9873695"
---

# NK-WP-0007 - Object Storage STS Credential Vending

## Goal

Define and implement the canonical NetKingdom pattern for vending
short-lived object-storage credentials from verified identity and
policy decisions.

The intended runtime shape is:

1. key-cape or Keycloak issues and verifies NetKingdom IAM Profile
   tokens.
2. flex-auth evaluates whether the subject may receive temporary S3
   credentials for a specific bucket, prefix, action set, TTL, and
   assurance level.
3. A small object-storage credential-vending service exchanges the
   approved identity for storage-native temporary credentials.
4. Consumers such as artifact-store use temporary credentials without
   owning the security policy.

## Context

Artifact-store needs to consume S3-compatible credentials, but the
credential-vending authority belongs to NetKingdom's identity and
security architecture. The surrounding ecosystem matters:

- key-cape is the lightweight NetKingdom IAM Profile implementation.
- Keycloak is the expanded-mode IAM implementation.
- Authelia, LLDAP, and privacyIDEA are backing components in the
  lightweight stack, not object-storage policy owners.
- flex-auth owns policy-as-code decisions, resource/action vocabulary,
  decision envelopes, delegated PDP adapters, and audit semantics.
- OpenBao is now part of the platform stack as the runtime secret
  authority, dynamic credential broker where appropriate, and audit
  source for secret access. It can broker or store credential material,
  but it does not replace flex-auth authorization or provider-native STS
  semantics.
- ops-warden and ops-bridge provide a useful precedent for short-lived
  credentials and actor attribution, but they are SSH-specific and
  should not be overloaded with object-storage credentials.
- Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2 are candidate
  object-storage credential issuers.

## Scope

In scope:

- define the object-storage credential-vending trust model
- define resource/action vocabulary for flex-auth
- define claim, audience, assurance, actor, tenant, bucket, prefix,
  action, TTL, revocation, and audit requirements
- define lightweight-mode behavior with key-cape plus Authelia, LLDAP,
  and privacyIDEA
- define expanded-mode behavior with Keycloak
- compare native STS paths for Ceph RGW, MinIO/AIStor, AWS STS, and
  Cloudflare R2
- decide whether the vendor is a standalone NetKingdom service, a small
  controller, or a reusable library plus CLI
- create consumer guidance for artifact-store and other S3 clients

Out of scope:

- implementing artifact-store S3 adapter refresh behavior
- deploying the object-storage backend itself
- replacing flex-auth with provider-specific bucket policies
- putting object-storage policy inside key-cape, ops-warden, or
  ops-bridge
- letting OpenBao root/admin authority become the object-storage policy
  model

## Recursive Platform Implications

This workplan depends on NK-WP-0006, so object-storage credential vending
must honor the platform/tenant split:

- `tenant:platform` may administer the vending service, OpenBao mounts,
  storage backends, policy import pipeline, and audit retention.
- `tenant:coulomb` and future tenants may request scoped credentials only
  for registered tenant resources.
- flex-auth decision envelopes must include tenant id, protected-system
  id, bucket or prefix, action set, TTL, assurance evidence, obligations,
  deny reasons, and audit correlation ids.
- CARING descriptors must mark whether a request is platform-scoped or
  tenant-scoped; platform-scoped descriptor use is rare, reviewed, and
  auditable.
- Topaz is the first delegated PDP runtime behind flex-auth. Its data and
  policy loading must not give a tenant administrator control over
  platform policies.
- OpenBao may broker, lease, audit, or store temporary credential
  material after flex-auth approval. OpenBao must not become the source of
  object-storage authorization policy, and tenants must not receive
  OpenBao root tokens, unseal/recovery material, platform mounts, or
  global auth-method control.

## Tasks

```task
id: NK-WP-0007-T1
status: done
priority: high
state_hub_task_id: "3b50c48f-1ab2-4631-b176-d49d9d705f1e"
```

Document the target architecture in
`docs/object-storage-sts-credential-vending.md`, including actors,
trust boundaries, token flow, policy decision flow, credential lease
flow, and failure modes.

```task
id: NK-WP-0007-T2
status: done
priority: high
state_hub_task_id: "5b942d22-6f29-4975-88fb-e3e5bcaf4029"
```

Define the flex-auth resource/action model for object storage:
protected-system id, bucket resources, prefix resources, actions
(`s3:GetObject`, `s3:PutObject`, `s3:DeleteObject`, listing,
multipart operations), TTL limits, obligations, and deny reasons.

```task
id: NK-WP-0007-T3
status: done
priority: high
state_hub_task_id: "8d27e5b4-9bbb-4a53-a079-0df1047d755e"
```

Define the IAM Profile requirements for credential vending:
accepted issuers, audiences, service-account subjects, human/admin
subjects, MFA/assurance claims, emergency principals, and local-dev
issuer restrictions.

```task
id: NK-WP-0007-T4
status: done
priority: medium
state_hub_task_id: "c0c4f297-6cff-419b-9ce3-be5537c92e93"
```

Assess backend STS implementations and write a decision record covering
Ceph RGW STS, MinIO/AIStor STS, AWS STS, Cloudflare R2 temporary
credentials, and when OpenBao should broker, lease, audit, or store the
resulting credential material.

```task
id: NK-WP-0007-T5
status: done
priority: medium
state_hub_task_id: "ccb10b2d-6378-4824-90b1-c31bd882d93d"
```

Prototype the smallest credential-vending interface: CLI or HTTP
request shape, normalized response shape, lease metadata, audit event,
OpenBao lease/audit metadata where used, and a
`credential_process`-compatible option for SDK consumers.

```task
id: NK-WP-0007-T6
status: done
priority: medium
state_hub_task_id: "63c6859b-980e-44da-a5a6-b92a8a3225dd"
```

Create integration guidance for artifact-store and other consumers:
environment variables, `AWS_SESSION_TOKEN`, refresh behavior, sidecar or
controller refresh options, and prohibited patterns such as long-lived
root access keys.

## Implementation Review - 2026-05-18

Implemented as architecture and decision artifacts:

- `docs/object-storage-sts-credential-vending.md` defines the target
  architecture, actors, trust boundaries, token flow, flex-auth
  vocabulary, IAM Profile requirements, backend assessment, OpenBao
  role, request/response prototype, audit event, failure modes, and
  consumer guidance.
- `docs/adr/ADR-0008-object-storage-sts-credential-vending.md` records
  the decision to use a provider-neutral NetKingdom vending boundary with
  provider-native temporary credential mechanisms where possible.

The implementation deliberately stops before building a live vending
service. Service implementation belongs in a follow-up workplan once
artifact-store has session-token/refresh support and the Railiance
OpenBao bootstrap/unseal/break-glass work is ready.

## Acceptance Criteria

- NetKingdom has a canonical, provider-neutral pattern for object-storage
  STS credential vending.
- flex-auth is the policy decision point for bucket/prefix/action/TTL
  authorization.
- OpenBao is treated as runtime secret/lease infrastructure where useful,
  not as the canonical authorization policy engine.
- key-cape and Keycloak are treated as IAM Profile implementations, not
  object-storage policy engines.
- ops-warden and ops-bridge remain SSH/tunnel-specific but their
  short-lived credential lessons are reused where appropriate.
- artifact-store has enough guidance to consume temporary credentials
  without owning the vending authority.