Add credential lane readiness proposals
This commit is contained in:
@@ -16,15 +16,19 @@ The first lane is for ops-warden `warden access --fetch` / `--exec`.
|
||||
|
||||
## whynot-design npm Publish Token
|
||||
|
||||
Ops-warden request:
|
||||
Ops-warden original request:
|
||||
`551031d1-335e-4db8-9535-820fea52d0a3`
|
||||
|
||||
Ops-warden batch follow-up:
|
||||
`fe5b1696-8956-4bd5-9d6f-dbde1901a076`
|
||||
|
||||
| Item | Value |
|
||||
| --- | --- |
|
||||
| ops-warden catalog id | `whynot-design-npm-token` |
|
||||
| ops-warden catalog id | `whynot-design-npm-publish` |
|
||||
| KV mount | `platform` |
|
||||
| OpenBao CLI path | `platform/workloads/whynot-design/whynot-design/npm-publish` |
|
||||
| Secret field | `NPM_AUTH_TOKEN` |
|
||||
| Front-door readiness | `template`, `resolvable=false` until CCR verification |
|
||||
| Read policy | `workload-kv-read-whynot-design-npm-publish` |
|
||||
| Policy file | `openbao/policies/workload-kv-read-whynot-design-npm-publish.hcl` |
|
||||
| OIDC auth mount | `netkingdom` |
|
||||
@@ -38,12 +42,18 @@ Expected caller login shape:
|
||||
bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read
|
||||
```
|
||||
|
||||
Expected fetch shape:
|
||||
Expected OpenBao fetch shape:
|
||||
|
||||
```bash
|
||||
bao kv get -field=NPM_AUTH_TOKEN platform/workloads/whynot-design/whynot-design/npm-publish
|
||||
```
|
||||
|
||||
Expected ops-warden exec shape after activation:
|
||||
|
||||
```bash
|
||||
warden access whynot-design-npm-publish --exec -- npm publish
|
||||
```
|
||||
|
||||
The fetch command returns the secret value to the authenticated caller. Run it
|
||||
only in an attended shell or through a process that consumes the value without
|
||||
logging it.
|
||||
@@ -139,7 +149,7 @@ Negative verification:
|
||||
Send ops-warden only these pointers:
|
||||
|
||||
```text
|
||||
catalog id: whynot-design-npm-token
|
||||
catalog id: whynot-design-npm-publish
|
||||
mount: platform
|
||||
path: platform/workloads/whynot-design/whynot-design/npm-publish
|
||||
field: NPM_AUTH_TOKEN
|
||||
@@ -151,4 +161,5 @@ runbook: docs/workload-kv-access-lanes.md
|
||||
```
|
||||
|
||||
Until live provisioning and verification are complete, ops-warden should keep
|
||||
the catalog entry in `draft` or equivalent non-active state.
|
||||
the catalog entry in `template`/`draft` or equivalent non-active state with
|
||||
`resolvable=false`.
|
||||
|
||||
Reference in New Issue
Block a user