RFC: workload-anchored credential binding and layered credential derivation

[krokoko]

Context: ROADMAP.md → Workload-anchored credential binding + Layered credential derivation
Related: #249, #209, #428, #427

---

Primary area

Cross-cutting / multiple

Related issue or feature request

#249 (Identity propagation / Token Vault), #209 (per-session IAM scoping), #428 (runtime security telemetry)

Summary

Extend ABCA's credential model beyond per-session IAM tags with (1) workload-anchored binding—credentials usable only inside the attested MicroVM/workload—and (2) layered derivation—progressively narrower tokens at orchestrator → agent runtime → per-tool-call boundaries.

Use case and motivation

Per-session scoping limits what a stolen credential can access but not where it can be exercised. A credential exfiltrated from the VM remains valid until expiry. Layered derivation limits blast radius at every hop: orchestrator task token → agent tool-scoped token → single-use external API token.

Proposal

Workload-anchored binding

• Bind issued credentials to platform attestation (instance identity document, AgentCore workload identity, or equivalent).
• Token Vault / STS AssumeRole policies reject calls not originating from the bound workload.
• Document operator requirements and failure modes when attestation is unavailable (ECS vs AgentCore).

Layered derivation

• Orchestrator holds task-scoped delegation token.
• Agent runtime derives further-restricted credentials limited to resolved tools/repos for the current turn.
• External tool invocations receive time-boxed or single-use tokens where the upstream API supports it.
• Propagate signed actor chain (user_id → orchestrator → agent) per delegation chain roadmap intent; align with RFC: Delegated-agent handoff contract for cross-system coding tasks #427.

Operator / developer experience

• Before: one SessionRole assumption per task; broad tool surface within tag scope.
• After: credentials are non-transferable and monotonically narrower down the stack; audit trail shows full lineage.

Out of scope

• Replacing Cognito user authentication.
• Full GitHub App implementation (Repo Onboarding: offer Github App to facilitate repo onboarding #50)—this RFC defines the credential pattern those integrations consume.
• Bedrock cost attribution (feat: Bedrock cost attribution — session tags, request metadata, and operator FinOps guidance #215)—orthogonal but should share session tags.

Potential challenges

• Not all external APIs support fine-grained derived tokens.
• Role chaining 1-hour cap vs 8-hour tasks—refresh semantics must be specified.
• Attestation availability differs across AgentCore vs ECS (refactor(compute): gate ECS construct on compute_type context instead of comment toggle #164).
• Increased latency on credential mint per tool call.

Dependencies and integrations

• AgentCore Identity Token Vault (RFC: Identity propagation — composable credential delegation via AgentCore Identity Token Vault #249 Phase 0 spike).
• aws_session.py, orchestrator durable functions, Gateway tool mediation.
• Cedar policies may need new actions for elevation ((orchestration): Runtime capability elevation via Cedar HITL #422).

Alternative solutions

• Rely solely on per-session IAM tags (feat(security): per-session IAM scoping — session-tagged AssumeRole, DynamoDB leading-key conditions, Bedrock ARN allowlist #209)—simpler but does not prevent exfiltration reuse.
• Network-only containment (DNS firewall)—complements but does not replace credential binding.

---

Note: Non-triaged RFCs may not get timely review.

• RFC PR:
• Approved by:
• Reviewed by: