Skip to content

refactor(blobmanager/s3accesspoint): slim AssumeRole session policy#3143

Merged
jiparis merged 1 commit into
chainloop-dev:mainfrom
jiparis:jiparis/s3-access-point-packedpolicytoolarge
May 21, 2026
Merged

refactor(blobmanager/s3accesspoint): slim AssumeRole session policy#3143
jiparis merged 1 commit into
chainloop-dev:mainfrom
jiparis:jiparis/s3-access-point-packedpolicytoolarge

Conversation

@jiparis

@jiparis jiparis commented May 21, 2026

Copy link
Copy Markdown
Member

Summary

Shrinks the inline session policy that the S3-Access-Point CAS backend passes to sts:AssumeRole so chainloop's contribution to the STS packed-policy budget stays minimal, leaving headroom for session tags inherited from the caller principal (IRSA / Pod Identity).

  • Resource scope is the AP ARN only (${apARN}/object/*); the per-tenant key-prefix on the Resource was defense-in-depth and is removed. Cross-tenant isolation continues to be enforced by the AP resource policy's aws:userid check against the role session name.
  • Object keys remain prefixed by org UUID at the bucket layer for collision avoidance.
  • Allowed actions are reduced to s3:GetObject and s3:PutObject (HeadObject authorizes as s3:GetObject); the backend never calls DeleteObject or GetObjectAttributes.

AI disclosure

Assisted by Claude (Anthropic).

Shrink the inline session policy passed to sts:AssumeRole so the inline
document consumes minimal STS packed-policy budget, leaving headroom
for tags inherited from the caller principal (IRSA / Pod Identity).

Cross-tenant isolation continues to be enforced by the AP resource
policy's aws:userid check against the role session name; the dropped
per-tenant key-prefix Resource scoping was defense-in-depth and is no
longer included in the session policy. Object keys remain prefixed
by org UUID for collision avoidance at the bucket layer.

Actions are reduced to s3:GetObject + s3:PutObject (HeadObject
authorizes as s3:GetObject); the backend never calls DeleteObject or
GetObjectAttributes.

Assisted-by: Claude
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Chainloop-Trace-Sessions: ee4385fa-8011-4750-87cd-502097dda8b9
@chainloop-platform

Copy link
Copy Markdown
Contributor

AI Session Analysis

Missing AI Coding Sessions

We detected commits in this PR that were AI-assisted, but the matching Chainloop Trace session(s) could not be found in Chainloop.

Please make sure the AI coding session evidence has been sent by the Chainloop CLI, or add the skip-ai-session label to this PR to bypass this check.

Learn more about Chainloop Trace.


Powered by Chainloop and Chainloop Trace

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Re-trigger cubic

@jiparis jiparis requested review from a team and Piskoo May 21, 2026 16:33
@jiparis jiparis merged commit 7334f48 into chainloop-dev:main May 21, 2026
15 of 16 checks passed
@jiparis jiparis deleted the jiparis/s3-access-point-packedpolicytoolarge branch May 21, 2026 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants