tegwick
1237cc767b
Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect, object-storage STS, and database dynamic credentials. Extend the routing catalog with draft entries and implement `warden route list --stale` for quarterly drift review. Document the review cadence in AccessRouting and mark the workplan finished.
3.6 KiB
Object-Storage STS Credential Vending
Date: 2026-06-24
Workplan: WARDEN-WP-0012 T4
Catalog: object-storage-sts (draft until vending path ships)
Pointer playbook for short-lived S3-compatible credentials. NetKingdom canon
defines the pattern; flex-auth decides, OpenBao brokers, railiance-platform
configures backends, and consumers (e.g. artifact-store) refresh credentials.
ops-warden does not vend object-storage credentials.
Owners
| Concern | Owner repo | Authoritative doc |
|---|---|---|
| Architecture and trust boundaries | net-kingdom |
docs/object-storage-sts-credential-vending.md |
| Policy decision (may this principal access bucket/prefix?) | flex-auth |
INTENT.md |
| OpenBao broker config, audit, bootstrap parent creds | railiance-platform |
docs/openbao.md — Artifact-Store handoff |
| S3 client refresh and package behavior | artifact-store |
ARTIFACT-STORE-WP-0007 |
Do not ask ops-warden
warden route show openbao-api-key --json
warden route show object-storage-sts --json # after promotion
Never paste access keys, session tokens, or parent credentials in Git, State Hub, logs, or agent chat.
Core flow (pointer only)
Full procedure is in net-kingdom canon. Summary for routing:
Principal (human/service/agent)
→ IAM Profile token (key-cape / Keycloak)
→ credential-vending service
→ flex-auth decision (tenant, bucket, prefix, actions, TTL)
→ backend exchange (STS / OpenBao-assisted broker)
→ temporary S3 credentials → consumer
OpenBao is runtime secret infrastructure — not the canonical authorization engine.
Platform path conventions
From railiance-platform/docs/openbao.md:
platform/object-storage/<consumer>
Example bootstrap bridge (static key, pre-STS):
platform/object-storage/artifact-store
STS vending remains governed by NK-WP-0007 / ARTIFACT-STORE-WP-0007. Promote
catalog entry to active only when the approved vending path for your consumer
exists in live OpenBao policy and canon.
Worker checklist
1. Confirm consumer and canon
- Read
net-kingdom/docs/object-storage-sts-credential-vending.md - Identify
protected_system_id(e.g.object-storage:artifact-store-prod) - Confirm flex-auth policy package for your tenant/resource
2. Authorization before secret read
- Obtain IAM Profile token with required claims
- flex-auth returns allow + obligations (TTL, prefix scope, actions)
- Do not skip flex-auth and read parent credentials from OpenBao directly
3. Credential delivery
- Platform provisions broker config under
platform/object-storage/... - Consumer receives credentials via approved delivery (ESO, CSI, sidecar)
- For
artifact-store: configureARTIFACTSTORE_S3_*_REFfile/env refs
4. Verify
artifactstore storage verify --backend s3
5. Rotation / expiry
- Prefer lease expiry and dynamic regeneration over long-lived keys
- Consumer must support session-token refresh or sidecar refresh (see canon gap notes)
Owner-repo next actions
| Repo | Action |
|---|---|
net-kingdom |
Maintain STS vending canon; NK-WP-0007 decisions |
flex-auth |
Policy packages for object-storage resources |
railiance-platform |
Backend parent creds, OpenBao mounts, audit |
artifact-store |
S3 backend refresh behavior and verify smoke |
See also
net-kingdom/docs/object-storage-sts-credential-vending.mdrailiance-platform/docs/openbao.md#artifact-store-object-storage-handoffwiki/CredentialRouting.md#quick-decision-tree