# Object-Storage STS Credential Vending Date: 2026-06-24 Workplan: WARDEN-WP-0012 T4 Catalog: `object-storage-sts` (draft until vending path ships) Pointer playbook for short-lived S3-compatible credentials. NetKingdom canon defines the pattern; `flex-auth` decides, OpenBao brokers, `railiance-platform` configures backends, and consumers (e.g. `artifact-store`) refresh credentials. ops-warden does not vend object-storage credentials. --- ## Owners | Concern | Owner repo | Authoritative doc | | --- | --- | --- | | Architecture and trust boundaries | `net-kingdom` | `docs/object-storage-sts-credential-vending.md` | | Policy decision (may this principal access bucket/prefix?) | `flex-auth` | `INTENT.md` | | OpenBao broker config, audit, bootstrap parent creds | `railiance-platform` | `docs/openbao.md` — Artifact-Store handoff | | S3 client refresh and package behavior | `artifact-store` | `ARTIFACT-STORE-WP-0007` | --- ## Do not ask ops-warden ```bash warden route show openbao-api-key --json warden route show object-storage-sts --json # after promotion ``` Never paste access keys, session tokens, or parent credentials in Git, State Hub, logs, or agent chat. --- ## Core flow (pointer only) Full procedure is in net-kingdom canon. Summary for routing: ```text Principal (human/service/agent) → IAM Profile token (key-cape / Keycloak) → credential-vending service → flex-auth decision (tenant, bucket, prefix, actions, TTL) → backend exchange (STS / OpenBao-assisted broker) → temporary S3 credentials → consumer ``` OpenBao is runtime secret infrastructure — not the canonical authorization engine. --- ## Platform path conventions From `railiance-platform/docs/openbao.md`: ```text platform/object-storage/ ``` Example bootstrap bridge (static key, pre-STS): ```text platform/object-storage/artifact-store ``` STS vending remains governed by NK-WP-0007 / `ARTIFACT-STORE-WP-0007`. Promote catalog entry to `active` only when the approved vending path for your consumer exists in live OpenBao policy and canon. --- ## Worker checklist ### 1. Confirm consumer and canon - [ ] Read `net-kingdom/docs/object-storage-sts-credential-vending.md` - [ ] Identify `protected_system_id` (e.g. `object-storage:artifact-store-prod`) - [ ] Confirm flex-auth policy package for your tenant/resource ### 2. Authorization before secret read - [ ] Obtain IAM Profile token with required claims - [ ] flex-auth returns allow + obligations (TTL, prefix scope, actions) - [ ] Do not skip flex-auth and read parent credentials from OpenBao directly ### 3. Credential delivery - [ ] Platform provisions broker config under `platform/object-storage/...` - [ ] Consumer receives credentials via approved delivery (ESO, CSI, sidecar) - [ ] For `artifact-store`: configure `ARTIFACTSTORE_S3_*_REF` file/env refs ### 4. Verify ```bash artifactstore storage verify --backend s3 ``` ### 5. Rotation / expiry - [ ] Prefer lease expiry and dynamic regeneration over long-lived keys - [ ] Consumer must support session-token refresh or sidecar refresh (see canon gap notes) --- ## Owner-repo next actions | Repo | Action | | --- | --- | | `net-kingdom` | Maintain STS vending canon; NK-WP-0007 decisions | | `flex-auth` | Policy packages for object-storage resources | | `railiance-platform` | Backend parent creds, OpenBao mounts, audit | | `artifact-store` | S3 backend refresh behavior and verify smoke | --- ## See also - `net-kingdom/docs/object-storage-sts-credential-vending.md` - `railiance-platform/docs/openbao.md#artifact-store-object-storage-handoff` - `wiki/CredentialRouting.md#quick-decision-tree`