ops-warden/wiki/playbooks/object-storage-sts.md

# Object-Storage STS Credential Vending

Date: 2026-06-24  
Workplan: WARDEN-WP-0012 T4  
Catalog: `object-storage-sts` (draft until vending path ships)

Pointer playbook for short-lived S3-compatible credentials. NetKingdom canon
defines the pattern; `flex-auth` decides, OpenBao brokers, `railiance-platform`
configures backends, and consumers (e.g. `artifact-store`) refresh credentials.

ops-warden does not vend object-storage credentials.

---

## Owners

| Concern | Owner repo | Authoritative doc |
| --- | --- | --- |
| Architecture and trust boundaries | `net-kingdom` | `docs/object-storage-sts-credential-vending.md` |
| Policy decision (may this principal access bucket/prefix?) | `flex-auth` | `INTENT.md` |
| OpenBao broker config, audit, bootstrap parent creds | `railiance-platform` | `docs/openbao.md` — Artifact-Store handoff |
| S3 client refresh and package behavior | `artifact-store` | `ARTIFACT-STORE-WP-0007` |

---

## Do not ask ops-warden

```bash
warden route show openbao-api-key --json
warden route show object-storage-sts --json   # after promotion
```

Never paste access keys, session tokens, or parent credentials in Git, State Hub,
logs, or agent chat.

---

## Core flow (pointer only)

Full procedure is in net-kingdom canon. Summary for routing:

```text
Principal (human/service/agent)
  → IAM Profile token (key-cape / Keycloak)
  → credential-vending service
  → flex-auth decision (tenant, bucket, prefix, actions, TTL)
  → backend exchange (STS / OpenBao-assisted broker)
  → temporary S3 credentials → consumer
```

OpenBao is runtime secret infrastructure — not the canonical authorization engine.

---

## Platform path conventions

From `railiance-platform/docs/openbao.md`:

```text
platform/object-storage/<consumer>
```

Example bootstrap bridge (static key, pre-STS):

```text
platform/object-storage/artifact-store
```

STS vending remains governed by NK-WP-0007 / `ARTIFACT-STORE-WP-0007`. Promote
catalog entry to `active` only when the approved vending path for your consumer
exists in live OpenBao policy and canon.

---

## Worker checklist

### 1. Confirm consumer and canon

- [ ] Read `net-kingdom/docs/object-storage-sts-credential-vending.md`
- [ ] Identify `protected_system_id` (e.g. `object-storage:artifact-store-prod`)
- [ ] Confirm flex-auth policy package for your tenant/resource

### 2. Authorization before secret read

- [ ] Obtain IAM Profile token with required claims
- [ ] flex-auth returns allow + obligations (TTL, prefix scope, actions)
- [ ] Do not skip flex-auth and read parent credentials from OpenBao directly

### 3. Credential delivery

- [ ] Platform provisions broker config under `platform/object-storage/...`
- [ ] Consumer receives credentials via approved delivery (ESO, CSI, sidecar)
- [ ] For `artifact-store`: configure `ARTIFACTSTORE_S3_*_REF` file/env refs

### 4. Verify

```bash
artifactstore storage verify --backend s3
```

### 5. Rotation / expiry

- [ ] Prefer lease expiry and dynamic regeneration over long-lived keys
- [ ] Consumer must support session-token refresh or sidecar refresh (see canon gap notes)

---

## Owner-repo next actions

| Repo | Action |
| --- | --- |
| `net-kingdom` | Maintain STS vending canon; NK-WP-0007 decisions |
| `flex-auth` | Policy packages for object-storage resources |
| `railiance-platform` | Backend parent creds, OpenBao mounts, audit |
| `artifact-store` | S3 backend refresh behavior and verify smoke |

---

## See also

- `net-kingdom/docs/object-storage-sts-credential-vending.md`
- `railiance-platform/docs/openbao.md#artifact-store-object-storage-handoff`
- `wiki/CredentialRouting.md#quick-decision-tree`