feat: add credential grant catalog foundation
This commit is contained in:
parent
693dc71833
commit
c7393d94ab
6 changed files with 617 additions and 5 deletions
111
credential-grants/catalog.yaml
Normal file
111
credential-grants/catalog.yaml
Normal file
|
|
@ -0,0 +1,111 @@
|
|||
version: 1
|
||||
updated: "2026-06-25"
|
||||
owner_repo: railiance-platform
|
||||
owner_domain: financials
|
||||
workplan_id: RAILIANCE-WP-0005
|
||||
state_hub_workstream_id: 2731fece-6c49-45b8-ab8a-4ea6c04ac603
|
||||
|
||||
delivery_modes:
|
||||
allowed_known:
|
||||
- exec-env
|
||||
- response-wrap
|
||||
- local-token-file
|
||||
- kubernetes-auth
|
||||
denied_known:
|
||||
- chat
|
||||
- state-hub-body
|
||||
- git
|
||||
- command-line-token-argument
|
||||
- llm-prompt
|
||||
|
||||
grant_classes:
|
||||
- self-service
|
||||
- approval-required
|
||||
- break-glass
|
||||
|
||||
grants:
|
||||
- id: ops-warden/warden-sign
|
||||
title: Ops Warden OpenBao SSH signing smoke token
|
||||
status: pilot
|
||||
grant_class: self-service
|
||||
credential_type: openbao-token
|
||||
issuer: openbao
|
||||
audience: ops-warden
|
||||
description: >
|
||||
Short-lived OpenBao child token for ops-warden SSH signing smoke tests.
|
||||
The token may only use the warden-sign policy and must not be treated as
|
||||
an ops-warden-owned secret.
|
||||
openbao:
|
||||
namespace: openbao
|
||||
token_role: warden-sign
|
||||
policies:
|
||||
- warden-sign
|
||||
disallowed_policies:
|
||||
- root
|
||||
- platform-admin
|
||||
mount_paths:
|
||||
- ssh/sign/adm-role
|
||||
- ssh/sign/agt-role
|
||||
- ssh/sign/atm-role
|
||||
- ssh/roles
|
||||
ttl:
|
||||
default: 15m
|
||||
max: 1h
|
||||
renewable: false
|
||||
requires_human_above: 1h
|
||||
actors:
|
||||
allowed_types:
|
||||
- human-operator
|
||||
- approved-agent
|
||||
- ci-runner
|
||||
required_subject_binding: keycape-or-kubernetes-service-account
|
||||
authorization:
|
||||
flex_auth_required: false
|
||||
flex_auth_mode: optional-preflight
|
||||
approval_required: false
|
||||
purpose_required: true
|
||||
allowed_purpose_examples:
|
||||
- flex-auth-openbao-smoke
|
||||
- ops-warden-production-sign-smoke
|
||||
delivery:
|
||||
allowed:
|
||||
- exec-env
|
||||
- response-wrap
|
||||
- local-token-file
|
||||
preferred: exec-env
|
||||
denied:
|
||||
- chat
|
||||
- state-hub-body
|
||||
- git
|
||||
- command-line-token-argument
|
||||
- llm-prompt
|
||||
exec_env:
|
||||
variable: VAULT_TOKEN
|
||||
child_only: true
|
||||
redact_logs: true
|
||||
response_wrap:
|
||||
ttl: 5m
|
||||
unwrap_once: true
|
||||
local_token_file:
|
||||
directory: .local/credential-leases
|
||||
mode: "0600"
|
||||
audit:
|
||||
openbao_audit_required: true
|
||||
state_hub_metadata_allowed: true
|
||||
record_secret_values: false
|
||||
metadata_fields:
|
||||
- grant_id
|
||||
- actor
|
||||
- subject
|
||||
- purpose
|
||||
- requested_ttl
|
||||
- issued_ttl
|
||||
- delivery_mode
|
||||
- lease_accessor
|
||||
- decision_id
|
||||
- status
|
||||
revocation:
|
||||
required: true
|
||||
by_accessor: true
|
||||
on_exec_exit: true
|
||||
on_denied_request: false
|
||||
Loading…
Add table
Add a link
Reference in a new issue