Record whynot OpenBao lane apply evidence
This commit is contained in:
@@ -55,6 +55,9 @@ openbao:
|
||||
method: oidc
|
||||
mount: netkingdom
|
||||
role: whynot-design-workload-kv-read
|
||||
allowed_redirect_uris:
|
||||
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||
- http://localhost:8250/oidc/callback
|
||||
user_claim: sub
|
||||
groups_claim: groups
|
||||
bound_claims:
|
||||
@@ -91,6 +94,16 @@ verification:
|
||||
- OIDC role bound to confirmed whynot-design claim or approved service account.
|
||||
- Secret value provisioned directly in OpenBao through approved operator custody.
|
||||
- Positive and negative verification recorded with non-secret audit ids or timestamps.
|
||||
evidence:
|
||||
- at: '2026-06-28T10:37:42+00:00'
|
||||
actor: codex
|
||||
kind: non_secret_openbao_apply_check
|
||||
result: passed
|
||||
details:
|
||||
- Policy read succeeded for workload-kv-read-whynot-design-npm-publish.
|
||||
- OIDC role read showed the whynot-design bound claim, read policy, and callback URIs.
|
||||
- Metadata read showed catalog-id whynot-design-npm-publish.
|
||||
- Secret field presence check found NPM_AUTH_TOKEN without printing or recording the value.
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
|
||||
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation
|
||||
|
||||
Reference in New Issue
Block a user