MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/docs/sts/custom-token-identity.md

3.0 KiB
Raw Blame History

AssumeRoleWithCustomToken Slack

Introduction

To integrate with custom authentication methods using the Identity Management Plugin), MinIO provides an STS API extension called AssumeRoleWithCustomToken.

After configuring the plugin, use the generated Role ARN with AssumeRoleWithCustomToken to get temporary credentials to access object storage.

API Request

To make an STS API request with this method, send a POST request to the MinIO endpoint with following query parameters:

Parameter Type Required
Action String Yes Value must be AssumeRoleWithCustomToken
Version String Yes Value must be 2011-06-15
Token String Yes Token to be authenticated by identity plugin
RoleArn String Yes Must match the Role ARN generated for the identity plugin
DurationSeconds Integer No Duration of validity of generated credentials. Must be at least 900.

The validity duration of the generated STS credentials is the minimum of the DurationSeconds parameter (if passed) and the validity duration returned by the Identity Management Plugin.

API Response

XML response for this API is similar to AWS STS AssumeRoleWithWebIdentity

Example request and response

Sample request with curl:

curl -XPOST 'http://localhost:9001/?Action=AssumeRoleWithCustomToken&Version=2011-06-15&Token=aaa&RoleArn=arn:minio:iam:::role/idmp-vGxBdLkOc8mQPU1-UQbBh-yWWVQ'

Prettified Response:

<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithCustomTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <AssumeRoleWithCustomTokenResult>
    <Credentials>
      <AccessKeyId>24Y5H9VHE14H47GEOKCX</AccessKeyId>
      <SecretAccessKey>H+aBfQ9B1AeWWb++84hvp4tlFBo9aP+hUTdLFIeg</SecretAccessKey>
      <Expiration>2022-05-25T19:56:34Z</Expiration>
      <SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiIyNFk1SDlWSEUxNEg0N0dFT0tDWCIsImV4cCI6MTY1MzUwODU5NCwiZ3JvdXBzIjpbImRhdGEtc2NpZW5jZSJdLCJwYXJlbnQiOiJjdXN0b206QWxpY2UiLCJyb2xlQXJuIjoiYXJuOm1pbmlvOmlhbTo6OnJvbGUvaWRtcC14eHgiLCJzdWIiOiJjdXN0b206QWxpY2UifQ.1tO1LmlUNXiy-wl-ZbkJLWTpaPlhaGqHehsi21lNAmAGCImHHsPb-GA4lRq6GkvHAODN5ZYCf_S-OwpOOdxFwA</SessionToken>
    </Credentials>
    <AssumedUser>custom:Alice</AssumedUser>
  </AssumeRoleWithCustomTokenResult>
  <ResponseMetadata>
    <RequestId>16F26E081E36DE63</RequestId>
  </ResponseMetadata>
</AssumeRoleWithCustomTokenResponse>