coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d4adfa2c1b7b982a0cc2e0c09ffcd1c92e963ea4
net-kingdom/workplans/NK-WP-0007-object-storage-sts-credential-vending.md

169 lines
5.3 KiB
Markdown
Raw Blame History

---
id: NK-WP-0007
type: workplan
title: Object Storage STS Credential Vending
domain: netkingdom
repo: net-kingdom
status: proposed
owner: codex
topic_slug: netkingdom
planning_priority: high
planning_order: 7
created: 2026-05-17
updated: 2026-05-17
depends_on:
- NK-WP-0004
- NK-WP-0005
- NK-WP-0006
state_hub_workstream_id: "3cbc81ec-7ad5-46cf-a4a0-fc5fe9873695"
---
# NK-WP-0007 - Object Storage STS Credential Vending
## Goal
Define and implement the canonical NetKingdom pattern for vending
short-lived object-storage credentials from verified identity and
policy decisions.
The intended runtime shape is:
1. key-cape or Keycloak issues and verifies NetKingdom IAM Profile
tokens.
2. flex-auth evaluates whether the subject may receive temporary S3
credentials for a specific bucket, prefix, action set, TTL, and
assurance level.
3. A small object-storage credential-vending service exchanges the
approved identity for storage-native temporary credentials.
4. Consumers such as artifact-store use temporary credentials without
owning the security policy.
## Context
Artifact-store needs to consume S3-compatible credentials, but the
credential-vending authority belongs to NetKingdom's identity and
security architecture. The surrounding ecosystem matters:
- key-cape is the lightweight NetKingdom IAM Profile implementation.
- Keycloak is the expanded-mode IAM implementation.
- Authelia, LLDAP, and privacyIDEA are backing components in the
lightweight stack, not object-storage policy owners.
- flex-auth owns policy-as-code decisions, resource/action vocabulary,
decision envelopes, delegated PDP adapters, and audit semantics.
- ops-warden and ops-bridge provide a useful precedent for short-lived
credentials and actor attribution, but they are SSH-specific and
should not be overloaded with object-storage credentials.
- Ceph RGW, MinIO/AIStor, AWS STS, and Cloudflare R2 are candidate
object-storage credential issuers.
## Scope
In scope:
- define the object-storage credential-vending trust model
- define resource/action vocabulary for flex-auth
- define claim, audience, assurance, actor, tenant, bucket, prefix,
action, TTL, revocation, and audit requirements
- define lightweight-mode behavior with key-cape plus Authelia, LLDAP,
and privacyIDEA
- define expanded-mode behavior with Keycloak
- compare native STS paths for Ceph RGW, MinIO/AIStor, AWS STS, and
Cloudflare R2
- decide whether the vendor is a standalone NetKingdom service, a small
controller, or a reusable library plus CLI
- create consumer guidance for artifact-store and other S3 clients
Out of scope:
- implementing artifact-store S3 adapter refresh behavior
- deploying the object-storage backend itself
- replacing flex-auth with provider-specific bucket policies
- putting object-storage policy inside key-cape, ops-warden, or
ops-bridge
## Tasks
```task
id: NK-WP-0007-T1
status: todo
priority: high
state_hub_task_id: "3b50c48f-1ab2-4631-b176-d49d9d705f1e"
```
Document the target architecture in
`docs/object-storage-sts-credential-vending.md`, including actors,
trust boundaries, token flow, policy decision flow, credential lease
flow, and failure modes.
```task
id: NK-WP-0007-T2
status: todo
priority: high
state_hub_task_id: "5b942d22-6f29-4975-88fb-e3e5bcaf4029"
```
Define the flex-auth resource/action model for object storage:
protected-system id, bucket resources, prefix resources, actions
(`s3:GetObject`, `s3:PutObject`, `s3:DeleteObject`, listing,
multipart operations), TTL limits, obligations, and deny reasons.
```task
id: NK-WP-0007-T3
status: todo
priority: high
state_hub_task_id: "8d27e5b4-9bbb-4a53-a079-0df1047d755e"
```
Define the IAM Profile requirements for credential vending:
accepted issuers, audiences, service-account subjects, human/admin
subjects, MFA/assurance claims, emergency principals, and local-dev
issuer restrictions.
```task
id: NK-WP-0007-T4
status: todo
priority: medium
state_hub_task_id: "c0c4f297-6cff-419b-9ce3-be5537c92e93"
```
Assess backend STS implementations and write a decision record covering
Ceph RGW STS, MinIO/AIStor STS, AWS STS, Cloudflare R2 temporary
credentials, and whether OpenBao/Vault should broker any of these
directly.
```task
id: NK-WP-0007-T5
status: todo
priority: medium
state_hub_task_id: "ccb10b2d-6378-4824-90b1-c31bd882d93d"
```
Prototype the smallest credential-vending interface: CLI or HTTP
request shape, normalized response shape, lease metadata, audit event,
and a `credential_process`-compatible option for SDK consumers.
```task
id: NK-WP-0007-T6
status: todo
priority: medium
state_hub_task_id: "63c6859b-980e-44da-a5a6-b92a8a3225dd"
```
Create integration guidance for artifact-store and other consumers:
environment variables, `AWS_SESSION_TOKEN`, refresh behavior, sidecar or
controller refresh options, and prohibited patterns such as long-lived
root access keys.
## Acceptance Criteria
- NetKingdom has a canonical, provider-neutral pattern for object-storage
STS credential vending.
- flex-auth is the policy decision point for bucket/prefix/action/TTL
authorization.
- key-cape and Keycloak are treated as IAM Profile implementations, not
object-storage policy engines.
- ops-warden and ops-bridge remain SSH/tunnel-specific but their
short-lived credential lessons are reused where appropriate.
- artifact-store has enough guidance to consume temporary credentials
without owning the vending authority.
Reference in New Issue View Git Blame Copy Permalink