coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add credential lane readiness proposals

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-27 23:30:29 +02:00
parent 815b124ab1
commit aee0dcefad
13 changed files with 425 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/workload-kv-access-lanes.md
View File

@@ -16,15 +16,19 @@ The first lane is for ops-warden `warden access --fetch` / `--exec`.
## whynot-design npm Publish Token
Ops-warden request:
Ops-warden original request:
`551031d1-335e-4db8-9535-820fea52d0a3`
Ops-warden batch follow-up:
`fe5b1696-8956-4bd5-9d6f-dbde1901a076`
| Item | Value |
| --- | --- |
| ops-warden catalog id | `whynot-design-npm-token` |
| ops-warden catalog id | `whynot-design-npm-publish` |
| KV mount | `platform` |
| OpenBao CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
| Secret field | `NPM_AUTH_TOKEN` |
| Front-door readiness | `template`, `resolvable=false` until CCR verification |
| Read policy | `workload-kv-read-whynot-design-npm-publish` |
| Policy file | `openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl` |
| OIDC auth mount | `netkingdom` |
@@ -38,12 +42,18 @@ Expected caller login shape:
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
```
Expected fetch shape:
Expected OpenBao fetch shape:
```bash
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
```
Expected ops-warden exec shape after activation:
```bash
warden access whynot-design-npm-publish --exec -- npm publish
```
The fetch command returns the secret value to the authenticated caller. Run it
only in an attended shell or through a process that consumes the value without
logging it.
@@ -139,7 +149,7 @@ Negative verification:
Send ops-warden only these pointers:
```text
catalog id: whynot-design-npm-token
catalog id: whynot-design-npm-publish
mount: platform
path: platform/workloads/whynot-design/whynot-design/npm-publish
field: NPM_AUTH_TOKEN
@@ -151,4 +161,5 @@ runbook: docs/workload-kv-access-lanes.md
```
Until live provisioning and verification are complete, ops-warden should keep
the catalog entry in `draft` or equivalent non-active state.
the catalog entry in `template`/`draft` or equivalent non-active state with
`resolvable=false`.