Stage 7: complete AWS OIDC federation deployment (deferred from PR #61)

## Context

PR #61 ships Stage 7 phase 2: OIDC issuer in the Rust broker, AWS-cred wiring through provisioner-scripts, and the operator-side bring-up (DNS + EIP + nginx + certbot + AWS OIDC provider registration). The federation **infrastructure** is in place; the **end-to-end isolation proof** is deferred to this issue.

## What's done (in PR #61)

- [x] Broker serves `/.well-known/openid-configuration` at `https://broker.litentry.org` with the correct `iss` claim.
- [x] Broker serves JWKS at `/.well-known/jwks.json` with ES256 P-256 key + stable `kid`.
- [x] Bearer-gated `POST /v1/mint-oidc-jwt` issues short-lived JWTs.
- [x] AWS OIDC provider registered: `arn:aws:iam::429071895007:oidc-provider/broker.litentry.org`.
- [x] Public nginx + Let's Encrypt cert auto-renewing.
- [x] Operator runbook + cloud-setup docs for the registration recipe ([cloud-setup.md §4](https://github.com/litentry/agentKeys/blob/main/docs/cloud-setup.md)).

## What's deferred to this issue

The cloud-enforced PrincipalTag isolation property — *"a JWT for wallet A can read s3://bucket/A/* but never s3://bucket/B/*"* — needs an end-to-end live test before we can call Stage 7 federation truly complete:

- [ ] Update `agentkeys-data-role` trust policy to the federated variant (replaces static IAM-user trust). Per [cloud-setup.md §4.3](https://github.com/litentry/agentKeys/blob/main/docs/cloud-setup.md#43-replace-the-roles-trust-policy-federated-variant).
- [ ] Update bucket policy to the PrincipalTag-scoped variant. Per [cloud-setup.md §4.4](https://github.com/litentry/agentKeys/blob/main/docs/cloud-setup.md#44-upgrade-bucket-policy-to-principaltag-scoped).
- [ ] **Acceptance test** ([cloud-setup.md §4.5](https://github.com/litentry/agentKeys/blob/main/docs/cloud-setup.md#45-end-to-end-proof)):
  ```bash
  # Mint a JWT for wallet A, exchange for AWS temp creds, prove:
  aws s3api list-objects-v2 --bucket "$BUCKET" --prefix "$WALLET/"      # ← OK
  aws s3api list-objects-v2 --bucket "$BUCKET" --prefix "0xdeadbeef/"    # ← MUST AccessDenied
  ```

The first AccessDenied is the property Stage 6's static-IAM path can't prove. Until that test passes against real AWS, federation is wired but unproven.

## Why deferred

Auth is the upstream blocker. Until the broker can reliably authenticate a session bearer to a specific wallet (currently any `auth_token` is accepted by the mock-server stub — see #63), running the federation acceptance test is meaningless: any caller could mint a session for any wallet, so PrincipalTag isolation isn't actually being tested.

Once auth lands (either Option A or Option C path), the federation acceptance test becomes a one-afternoon validation step.

## Related

- PR #61 — Stage 7 phase 2 (this issue's prerequisite)
- Auth implementation issue: see #63
- [docs/cloud-setup.md §4](https://github.com/litentry/agentKeys/blob/main/docs/cloud-setup.md#4-oidc-federation-stage-7) — the recipe to follow when this issue is picked up

🤖 Generated with [Claude Code](https://claude.com/claude-code)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stage 7: complete AWS OIDC federation deployment (deferred from PR #61) #62

Context

What's done (in PR #61)

What's deferred to this issue

Why deferred

Related

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Stage 7: complete AWS OIDC federation deployment (deferred from PR #61) #62

Description

Context

What's done (in PR #61)

What's deferred to this issue

Why deferred

Related

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions