generated from coulomb/repo-seed
Complete WARDEN-WP-0012 routing scenario playbooks
Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect, object-storage STS, and database dynamic credentials. Extend the routing catalog with draft entries and implement `warden route list --stale` for quarterly drift review. Document the review cadence in AccessRouting and mark the workplan finished.
This commit is contained in:
123
wiki/playbooks/object-storage-sts.md
Normal file
123
wiki/playbooks/object-storage-sts.md
Normal file
@@ -0,0 +1,123 @@
|
||||
# Object-Storage STS Credential Vending
|
||||
|
||||
Date: 2026-06-24
|
||||
Workplan: WARDEN-WP-0012 T4
|
||||
Catalog: `object-storage-sts` (draft until vending path ships)
|
||||
|
||||
Pointer playbook for short-lived S3-compatible credentials. NetKingdom canon
|
||||
defines the pattern; `flex-auth` decides, OpenBao brokers, `railiance-platform`
|
||||
configures backends, and consumers (e.g. `artifact-store`) refresh credentials.
|
||||
|
||||
ops-warden does not vend object-storage credentials.
|
||||
|
||||
---
|
||||
|
||||
## Owners
|
||||
|
||||
| Concern | Owner repo | Authoritative doc |
|
||||
| --- | --- | --- |
|
||||
| Architecture and trust boundaries | `net-kingdom` | `docs/object-storage-sts-credential-vending.md` |
|
||||
| Policy decision (may this principal access bucket/prefix?) | `flex-auth` | `INTENT.md` |
|
||||
| OpenBao broker config, audit, bootstrap parent creds | `railiance-platform` | `docs/openbao.md` — Artifact-Store handoff |
|
||||
| S3 client refresh and package behavior | `artifact-store` | `ARTIFACT-STORE-WP-0007` |
|
||||
|
||||
---
|
||||
|
||||
## Do not ask ops-warden
|
||||
|
||||
```bash
|
||||
warden route show openbao-api-key --json
|
||||
warden route show object-storage-sts --json # after promotion
|
||||
```
|
||||
|
||||
Never paste access keys, session tokens, or parent credentials in Git, State Hub,
|
||||
logs, or agent chat.
|
||||
|
||||
---
|
||||
|
||||
## Core flow (pointer only)
|
||||
|
||||
Full procedure is in net-kingdom canon. Summary for routing:
|
||||
|
||||
```text
|
||||
Principal (human/service/agent)
|
||||
→ IAM Profile token (key-cape / Keycloak)
|
||||
→ credential-vending service
|
||||
→ flex-auth decision (tenant, bucket, prefix, actions, TTL)
|
||||
→ backend exchange (STS / OpenBao-assisted broker)
|
||||
→ temporary S3 credentials → consumer
|
||||
```
|
||||
|
||||
OpenBao is runtime secret infrastructure — not the canonical authorization engine.
|
||||
|
||||
---
|
||||
|
||||
## Platform path conventions
|
||||
|
||||
From `railiance-platform/docs/openbao.md`:
|
||||
|
||||
```text
|
||||
platform/object-storage/<consumer>
|
||||
```
|
||||
|
||||
Example bootstrap bridge (static key, pre-STS):
|
||||
|
||||
```text
|
||||
platform/object-storage/artifact-store
|
||||
```
|
||||
|
||||
STS vending remains governed by NK-WP-0007 / `ARTIFACT-STORE-WP-0007`. Promote
|
||||
catalog entry to `active` only when the approved vending path for your consumer
|
||||
exists in live OpenBao policy and canon.
|
||||
|
||||
---
|
||||
|
||||
## Worker checklist
|
||||
|
||||
### 1. Confirm consumer and canon
|
||||
|
||||
- [ ] Read `net-kingdom/docs/object-storage-sts-credential-vending.md`
|
||||
- [ ] Identify `protected_system_id` (e.g. `object-storage:artifact-store-prod`)
|
||||
- [ ] Confirm flex-auth policy package for your tenant/resource
|
||||
|
||||
### 2. Authorization before secret read
|
||||
|
||||
- [ ] Obtain IAM Profile token with required claims
|
||||
- [ ] flex-auth returns allow + obligations (TTL, prefix scope, actions)
|
||||
- [ ] Do not skip flex-auth and read parent credentials from OpenBao directly
|
||||
|
||||
### 3. Credential delivery
|
||||
|
||||
- [ ] Platform provisions broker config under `platform/object-storage/...`
|
||||
- [ ] Consumer receives credentials via approved delivery (ESO, CSI, sidecar)
|
||||
- [ ] For `artifact-store`: configure `ARTIFACTSTORE_S3_*_REF` file/env refs
|
||||
|
||||
### 4. Verify
|
||||
|
||||
```bash
|
||||
artifactstore storage verify --backend s3
|
||||
```
|
||||
|
||||
### 5. Rotation / expiry
|
||||
|
||||
- [ ] Prefer lease expiry and dynamic regeneration over long-lived keys
|
||||
- [ ] Consumer must support session-token refresh or sidecar refresh (see canon gap notes)
|
||||
|
||||
---
|
||||
|
||||
## Owner-repo next actions
|
||||
|
||||
| Repo | Action |
|
||||
| --- | --- |
|
||||
| `net-kingdom` | Maintain STS vending canon; NK-WP-0007 decisions |
|
||||
| `flex-auth` | Policy packages for object-storage resources |
|
||||
| `railiance-platform` | Backend parent creds, OpenBao mounts, audit |
|
||||
| `artifact-store` | S3 backend refresh behavior and verify smoke |
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `net-kingdom/docs/object-storage-sts-credential-vending.md`
|
||||
- `railiance-platform/docs/openbao.md#artifact-store-object-storage-handoff`
|
||||
- `wiki/CredentialRouting.md#quick-decision-tree`
|
||||
Reference in New Issue
Block a user