coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Record whynot OpenBao lane apply evidence

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-28 12:41:39 +02:00
parent 3ef25cb787
commit 271aa94642
8 changed files with 134 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs/workload-kv-access-lanes.md
View File

@@ -35,6 +35,7 @@ Ops-warden batch follow-up:
| Policy file | `openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl` |
| OIDC auth mount | `netkingdom` |
| OIDC role | `whynot-design-workload-kv-read` |
| OIDC callback URIs | `https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback`, `http://localhost:8250/oidc/callback` |
| Kubernetes auth role | `whynot-design-workload-kv-read` if an in-cluster service account consumes this lane |
| flex-auth ref | `secret.read:whynot-design` if tenant policy requires pre-approval |
@@ -109,6 +110,14 @@ The role must attach only:
workload-kv-read-whynot-design-npm-publish
```
The OIDC role must include the browser and local CLI callback URIs accepted by
OpenBao:
```text
https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
http://localhost:8250/oidc/callback
```
The whynot-design pilot claim is confirmed as `groups=whynot-design`. Before
applying any changed role, re-confirm the KeyCape/NetKingdom claim that
identifies the whynot-design caller. The role must bind to that claim; do not
@@ -154,9 +163,25 @@ Positive verification:
1. Authenticate as the whynot-design caller using the approved OIDC or
Kubernetes auth role.
2. Fetch the field in an attended session or through `warden access --fetch`.
2. Fetch the field in an attended session or through `warden access --exec`.
3. Record only that the fetch succeeded; do not record the value.
Safe attended command shape before the dedicated ops-warden catalog id is
activated:
```bash
set +x
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
warden access "npm token" \
--path platform/workloads/coulomb/whynot-design/npm-publish \
--field NPM_AUTH_TOKEN \
--no-policy \
--exec -- sh -lc 'test -n "$NPM_AUTH_TOKEN"'
```
Use `--no-policy` only while the local ops-warden config reports
`policy.enabled=false`; remove it once the flex-auth gate is enforced.
Negative verification:
1. Authenticate as a non-whynot identity.