Aegis Orchestrator
Architecture

Identity and Secrets

The Keymaster Pattern, OAuth federation, and centralized secrets management.

Identity and Secrets

AEGIS enforces strict boundaries for authentication, authorization, and secrets management. By decoupling agent runtimes from the credential provisioning process, the system isolates high-value access points and prevents credential exfiltration.

Centralized IAM

AEGIS uses Keycloak as the single certified OIDC issuer for all human and Machine-to-Machine (M2M) identities.

  • Federation: Social logins and enterprise SAML providers are federated through Keycloak. Consumer applications (like the Zaru client) rely solely on OIDC.
  • Multi-Tenant Isolation: Enterprise tenants operate within isolated boundaries via dedicated Keycloak realms (tenant-{slug}). Consumer users share the zaru-consumer Keycloak realm but each receive a dedicated per-user tenant (slug format u-{uuid}) at signup. The orchestrator derives the consumer's tenant_id from a custom JWT claim rather than from the realm slug, ensuring full data isolation between individual consumer users.
  • Authorization Checks: The orchestrator's gRPC and HTTP APIs intercept requests using the GrpcIamAuthInterceptor to validate Bearer JWTs via a cached JWKS endpoint before allowing requests to proceed.

The Keymaster Pattern

A foundational security guarantee in AEGIS is the Keymaster Pattern: Only the Orchestrator communicates with the secrets vault (OpenBao). Agent containers never access the vault directly.

When an agent invokes a tool (e.g., web.search), it sends the request via SEAL to the orchestrator. If the orchestrator routes this to a local tool server (Path 2), the Tool Server process is spawned on the host machine. At startup, the orchestrator retrieves the necessary API keys from OpenBao and injects them as environment variables into the Tool Server process. The agent never sees the API key.

Multi-Tenant Secrets Federation

The orchestrator enforces strict boundary alignment between Identity and Secrets:

  • A TenantRealm in Keycloak pairs 1:1 with a dedicated namespace in OpenBao.
  • When an execution is triggered from a specific tenant, the orchestrator only retrieves credentials associated with that tenant's dedicated OpenBao namespace.

Dynamic Credentials

For internal infrastructural access (such as databases), AEGIS favors Dynamic Secrets.

Instead of provisioning permanent service accounts with static passwords, the orchestrator relies on OpenBao to generate short-lived credentials synchronously before an agent execution or long-running workflow.

  • Lease Semantics: The credential has an explicit Time-to-Live (TTL).
  • Auto-Revocation: Once the agent execution concludes (or the TTL expires), the credential is automatically revoked by the database role engine.
  • Audit Trails: Every dynamic credential generation publishes an AccessContext event, capturing the "who, when, and why" for comprehensive security auditing.

Stimulus-Response Routing

Architecture deep-dive into the two-stage hybrid routing pipeline for external event ingestion (BC-8).

Infrastructure Requirements

Dependency matrix, hardware requirements, network topology, pod architecture, and the local development stack.

On this page

Identity and SecretsCentralized IAMThe Keymaster PatternMulti-Tenant Secrets FederationDynamic Credentials