id: T060
name: IAM Credential Service
goal: Add S3/API credential management to IAM (access_key_id + secret_key per principal)
status: planned
priority: P1
context: |
  T058.S2 revealed IAM lacks credential storage API.
  S3 needs access_key_id → secret_key lookup for SigV4 validation.
  Current workaround: env vars (T058.S2 Option B MVP).
  This task implements proper IAM-managed credentials.
steps:
  - id: S1
    name: IAM Credential proto
    done: IamCredential service defined in iam.proto
    status: pending
    notes: |
      CreateS3Credential(principal_id) → (access_key_id, secret_key)
      GetSecretKey(access_key_id) → secret_key
      ListCredentials(principal_id) → credentials
      RevokeS3Credential(access_key_id)
  - id: S2
    name: IAM Credential storage
    done: Credentials stored in ChainFire backend
    status: pending
    notes: |
      Key schema: /iam/credentials/{access_key_id}
      Value: {principal_id, secret_key_hash, created_at, expires_at}
      Secret key returned only on creation (never stored plaintext)
  - id: S3
    name: IAM Credential service implementation
    done: gRPC service functional
    status: pending
  - id: S4
    name: LightningSTOR S3 integration
    done: S3 auth calls IAM gRPC for credential lookup
    status: pending
    notes: |
      Replace env var approach with IAM client.get_secret_key(access_key_id)