coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d4adfa2c1b7b982a0cc2e0c09ffcd1c92e963ea4
net-kingdom/workplans/NK-WP-0007-object-storage-sts-credential-vending.md

5.3 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated depends_on state_hub_workstream_id
NK-WP-0007 workplan Object Storage STS Credential Vending netkingdom net-kingdom proposed codex netkingdom high 7 2026-05-17 2026-05-17
NK-WP-0004
NK-WP-0005
NK-WP-0006
3cbc81ec-7ad5-46cf-a4a0-fc5fe9873695

NK-WP-0007 - Object Storage STS Credential Vending

Goal

Define and implement the canonical NetKingdom pattern for vending short-lived object-storage credentials from verified identity and policy decisions.

The intended runtime shape is:

  1. key-cape or Keycloak issues and verifies NetKingdom IAM Profile tokens.
  2. flex-auth evaluates whether the subject may receive temporary S3 credentials for a specific bucket, prefix, action set, TTL, and assurance level.
  3. A small object-storage credential-vending service exchanges the approved identity for storage-native temporary credentials.
  4. Consumers such as artifact-store use temporary credentials without owning the security policy.

Context

Artifact-store needs to consume S3-compatible credentials, but the credential-vending authority belongs to NetKingdom's identity and security architecture. The surrounding ecosystem matters:

  • key-cape is the lightweight NetKingdom IAM Profile implementation.
  • Keycloak is the expanded-mode IAM implementation.
  • Authelia, LLDAP, and privacyIDEA are backing components in the lightweight stack, not object-storage policy owners.
  • flex-auth owns policy-as-code decisions, resource/action vocabulary, decision envelopes, delegated PDP adapters, and audit semantics.
  • ops-warden and ops-bridge provide a useful precedent for short-lived credentials and actor attribution, but they are SSH-specific and should not be overloaded with object-storage credentials.
  • Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2 are candidate object-storage credential issuers.

Scope

In scope:

  • define the object-storage credential-vending trust model
  • define resource/action vocabulary for flex-auth
  • define claim, audience, assurance, actor, tenant, bucket, prefix, action, TTL, revocation, and audit requirements
  • define lightweight-mode behavior with key-cape plus Authelia, LLDAP, and privacyIDEA
  • define expanded-mode behavior with Keycloak
  • compare native STS paths for Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2
  • decide whether the vendor is a standalone NetKingdom service, a small controller, or a reusable library plus CLI
  • create consumer guidance for artifact-store and other S3 clients

Out of scope:

  • implementing artifact-store S3 adapter refresh behavior
  • deploying the object-storage backend itself
  • replacing flex-auth with provider-specific bucket policies
  • putting object-storage policy inside key-cape, ops-warden, or ops-bridge

Tasks

id: NK-WP-0007-T1
status: todo
priority: high
state_hub_task_id: "3b50c48f-1ab2-4631-b176-d49d9d705f1e"

Document the target architecture in docs/object-storage-sts-credential-vending.md, including actors, trust boundaries, token flow, policy decision flow, credential lease flow, and failure modes.

id: NK-WP-0007-T2
status: todo
priority: high
state_hub_task_id: "5b942d22-6f29-4975-88fb-e3e5bcaf4029"

Define the flex-auth resource/action model for object storage: protected-system id, bucket resources, prefix resources, actions (s3:GetObject, s3:PutObject, s3:DeleteObject, listing, multipart operations), TTL limits, obligations, and deny reasons.

id: NK-WP-0007-T3
status: todo
priority: high
state_hub_task_id: "8d27e5b4-9bbb-4a53-a079-0df1047d755e"

Define the IAM Profile requirements for credential vending: accepted issuers, audiences, service-account subjects, human/admin subjects, MFA/assurance claims, emergency principals, and local-dev issuer restrictions.

id: NK-WP-0007-T4
status: todo
priority: medium
state_hub_task_id: "c0c4f297-6cff-419b-9ce3-be5537c92e93"

Assess backend STS implementations and write a decision record covering Ceph RGW STS, MinIO/AIStor STS, AWS STS, Cloudflare R2 temporary credentials, and whether OpenBao/Vault should broker any of these directly.

id: NK-WP-0007-T5
status: todo
priority: medium
state_hub_task_id: "ccb10b2d-6378-4824-90b1-c31bd882d93d"

Prototype the smallest credential-vending interface: CLI or HTTP request shape, normalized response shape, lease metadata, audit event, and a credential_process-compatible option for SDK consumers.

id: NK-WP-0007-T6
status: todo
priority: medium
state_hub_task_id: "63c6859b-980e-44da-a5a6-b92a8a3225dd"

Create integration guidance for artifact-store and other consumers: environment variables, AWS_SESSION_TOKEN, refresh behavior, sidecar or controller refresh options, and prohibited patterns such as long-lived root access keys.

Acceptance Criteria

  • NetKingdom has a canonical, provider-neutral pattern for object-storage STS credential vending.
  • flex-auth is the policy decision point for bucket/prefix/action/TTL authorization.
  • key-cape and Keycloak are treated as IAM Profile implementations, not object-storage policy engines.
  • ops-warden and ops-bridge remain SSH/tunnel-specific but their short-lived credential lessons are reused where appropriate.
  • artifact-store has enough guidance to consume temporary credentials without owning the vending authority.
Reference in New Issue View Git Blame Copy Permalink