Add role ARN support for OIDC identity provider (#13651)

- Allows setting a role policy parameter when configuring OIDC provider

- When role policy is set, the server prints a role ARN usable in STS API requests

- The given role policy is applied to STS API requests when the roleARN parameter is provided.

- Service accounts for role policy are also possible and work as expected.
This commit is contained in:
Aditya Manthramurthy 2021-11-26 19:22:40 -08:00 committed by GitHub
parent 4ce6d35e30
commit 4c0f48c548
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 582 additions and 80 deletions

View File

@ -43,6 +43,9 @@ add_alias() {
echo "...waiting... for 5secs" && sleep 5 echo "...waiting... for 5secs" && sleep 5
done done
done done
echo "Sleeping for nginx"
sleep 20
} }
__init__() { __init__() {

View File

@ -245,9 +245,10 @@ func getClaimsFromToken(token string) (map[string]interface{}, error) {
// Session token must have a policy, reject requests without policy // Session token must have a policy, reject requests without policy
// claim. // claim.
_, pokOpenID := claims.MapClaims[iamPolicyClaimNameOpenID()] _, pokOpenIDClaimName := claims.MapClaims[iamPolicyClaimNameOpenID()]
_, pokOpenIDRoleArn := claims.MapClaims[roleArnClaim]
_, pokSA := claims.MapClaims[iamPolicyClaimNameSA()] _, pokSA := claims.MapClaims[iamPolicyClaimNameSA()]
if !pokOpenID && !pokSA { if !pokOpenIDClaimName && !pokOpenIDRoleArn && !pokSA {
return nil, errAuthentication return nil, errAuthentication
} }

View File

@ -327,7 +327,7 @@ func validateConfig(s config.Config) error {
} }
} }
if _, err := openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default], if _, err := openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
NewGatewayHTTPTransport(), xhttp.DrainBody); err != nil { NewGatewayHTTPTransport(), xhttp.DrainBody, globalSite.Region); err != nil {
return err return err
} }
@ -513,7 +513,7 @@ func lookupConfigs(s config.Config, objAPI ObjectLayer) {
} }
globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default], globalOpenIDConfig, err = openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
NewGatewayHTTPTransport(), xhttp.DrainBody) NewGatewayHTTPTransport(), xhttp.DrainBody, globalSite.Region)
if err != nil { if err != nil {
logger.LogIf(ctx, fmt.Errorf("Unable to initialize OpenID: %w", err)) logger.LogIf(ctx, fmt.Errorf("Unable to initialize OpenID: %w", err))
} }

View File

@ -33,7 +33,9 @@ import (
humanize "github.com/dustin/go-humanize" humanize "github.com/dustin/go-humanize"
"github.com/minio/madmin-go" "github.com/minio/madmin-go"
"github.com/minio/minio-go/v7/pkg/set" "github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/minio/internal/arn"
"github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/color"
"github.com/minio/minio/internal/logger" "github.com/minio/minio/internal/logger"
iampolicy "github.com/minio/pkg/iam/policy" iampolicy "github.com/minio/pkg/iam/policy"
etcd "go.etcd.io/etcd/client/v3" etcd "go.etcd.io/etcd/client/v3"
@ -66,6 +68,8 @@ type IAMSys struct {
usersSysType UsersSysType usersSysType UsersSysType
rolesMap map[arn.ARN]string
// Persistence layer for IAM subsystem // Persistence layer for IAM subsystem
store *IAMStoreSys store *IAMStoreSys
@ -215,6 +219,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
r := rand.New(rand.NewSource(time.Now().UnixNano())) r := rand.New(rand.NewSource(time.Now().UnixNano()))
// Migrate storage format if needed.
for { for {
// let one of the server acquire the lock, if not let them timeout. // let one of the server acquire the lock, if not let them timeout.
// which shall be retried again by this loop. // which shall be retried again by this loop.
@ -263,6 +268,7 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
break break
} }
// Load IAM data from storage.
for { for {
if err := sys.Load(retryCtx); err != nil { if err := sys.Load(retryCtx); err != nil {
if configRetriableErrors(err) { if configRetriableErrors(err) {
@ -308,7 +314,40 @@ func (sys *IAMSys) Init(ctx context.Context, objAPI ObjectLayer, etcdClient *etc
}() }()
} }
// Start watching changes to storage.
go sys.watch(ctx) go sys.watch(ctx)
// Load RoleARN
if roleARN, rolePolicy, enabled := globalOpenIDConfig.GetRoleInfo(); enabled {
numPolicies := len(strings.Split(rolePolicy, ","))
validPolicies, _ := sys.store.FilterPolicies(rolePolicy, "")
numValidPolicies := len(strings.Split(validPolicies, ","))
if numPolicies != numValidPolicies {
logger.LogIf(ctx, fmt.Errorf("Some specified role policies (%s) were not defined - role based policies will not be enabled.", rolePolicy))
return
}
sys.rolesMap = map[arn.ARN]string{
roleARN: rolePolicy,
}
}
sys.printIAMRoles()
}
// Prints IAM role ARNs.
func (sys *IAMSys) printIAMRoles() {
arns := sys.GetRoleARNs()
if len(arns) == 0 {
return
}
msgs := make([]string, 0, len(arns))
for _, arn := range arns {
msgs = append(msgs, color.Bold(arn))
}
logStartupMessage(fmt.Sprintf("%s %s", color.Blue("IAM Roles:"), strings.Join(msgs, " ")))
} }
// HasWatcher - returns if the IAM system has a watcher to be notified of // HasWatcher - returns if the IAM system has a watcher to be notified of
@ -389,6 +428,28 @@ func (sys *IAMSys) loadWatchedEvent(ctx context.Context, event iamWatchEvent) (e
return err return err
} }
// GetRoleARNs - returns a list of enabled role ARNs.
func (sys *IAMSys) GetRoleARNs() []string {
var res []string
for arn := range sys.rolesMap {
res = append(res, arn.String())
}
return res
}
// GetRolePolicy - returns policies associated with a role ARN.
func (sys *IAMSys) GetRolePolicy(arnStr string) (string, error) {
arn, err := arn.Parse(arnStr)
if err != nil {
return "", fmt.Errorf("RoleARN parse err: %v", err)
}
rolePolicy, ok := sys.rolesMap[arn]
if !ok {
return "", fmt.Errorf("RoleARN %s is not defined.", arnStr)
}
return rolePolicy, nil
}
// DeletePolicy - deletes a canned policy from backend or etcd. // DeletePolicy - deletes a canned policy from backend or etcd.
func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string) error { func (sys *IAMSys) DeletePolicy(ctx context.Context, policyName string) error {
if !sys.Initialized() { if !sys.Initialized() {
@ -1029,7 +1090,7 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parentUser strin
return false return false
} }
// Check policy for this service account. // Check policy for parent user of service account.
svcPolicies, err := sys.PolicyDBGet(parentUser, false, args.Groups...) svcPolicies, err := sys.PolicyDBGet(parentUser, false, args.Groups...)
if err != nil { if err != nil {
logger.LogIf(GlobalContext, err) logger.LogIf(GlobalContext, err)
@ -1037,9 +1098,20 @@ func (sys *IAMSys) IsAllowedServiceAccount(args iampolicy.Args, parentUser strin
} }
if len(svcPolicies) == 0 { if len(svcPolicies) == 0 {
// If parent user has no policies, look in OpenID claims in case it exists. // If parent user has no policies, check for OpenID
policySet, ok := iampolicy.GetPoliciesFromClaims(args.Claims, iamPolicyClaimNameOpenID()) // claims/RoleARN in case it exists.
if ok { roleArn := args.GetRoleArn()
if roleArn != "" {
arn, err := arn.Parse(roleArn)
if err != nil {
logger.LogIf(GlobalContext, fmt.Errorf("error parsing role ARN %s: %v", roleArn, err))
return false
}
svcPolicies = newMappedPolicy(sys.rolesMap[arn]).toSlice()
} else {
// If there is no roleArn claim, check the OpenID
// provider's policy claim.
policySet, _ := iampolicy.GetPoliciesFromClaims(args.Claims, iamPolicyClaimNameOpenID())
svcPolicies = policySet.ToSlice() svcPolicies = policySet.ToSlice()
} }
if len(svcPolicies) == 0 { if len(svcPolicies) == 0 {
@ -1156,35 +1228,49 @@ func (sys *IAMSys) IsAllowedSTS(args iampolicy.Args, parentUser string) bool {
return sys.IsAllowedLDAPSTS(args, parentUser) return sys.IsAllowedLDAPSTS(args, parentUser)
} }
policies, ok := args.GetPolicies(iamPolicyClaimNameOpenID()) var policies []string
if !ok { roleArn := args.GetRoleArn()
// When claims are set, it should have a policy claim field. if roleArn != "" {
return false arn, err := arn.Parse(roleArn)
if err != nil {
logger.LogIf(GlobalContext, fmt.Errorf("error parsing role ARN %s: %v", roleArn, err))
return false
}
policies = newMappedPolicy(sys.rolesMap[arn]).toSlice()
} else {
// If roleArn is not used, we fall back to using policy claim
// from JWT.
policySet, ok := args.GetPolicies(iamPolicyClaimNameOpenID())
if !ok {
// When claims are set, it should have a policy claim field.
return false
}
// When claims are set, it should have policies as claim.
if policySet.IsEmpty() {
// No policy, no access!
return false
}
// If policy is available for given user, check the policy.
mp, ok := sys.store.GetMappedPolicy(args.AccountName, false)
if !ok {
// No policy set for the user that we can find, no access!
return false
}
if !policySet.Equals(mp.policySet()) {
// When claims has a policy, it should match the
// policy of args.AccountName which server remembers.
// if not reject such requests.
return false
}
policies = policySet.ToSlice()
} }
// When claims are set, it should have policies as claim. combinedPolicy, err := sys.store.GetPolicy(strings.Join(policies, ","))
if policies.IsEmpty() {
// No policy, no access!
return false
}
// If policy is available for given user, check the policy.
mp, ok := sys.store.GetMappedPolicy(args.AccountName, false)
if !ok {
// No policy set for the user that we can find, no access!
return false
}
if !policies.Equals(mp.policySet()) {
// When claims has a policy, it should match the
// policy of args.AccountName which server remembers.
// if not reject such requests.
return false
}
combinedPolicy, err := sys.store.GetPolicy(strings.Join(policies.ToSlice(), ","))
if err == errNoSuchPolicy { if err == errNoSuchPolicy {
for pname := range policies { for _, pname := range policies {
_, err := sys.store.GetPolicy(pname) _, err := sys.store.GetPolicy(pname)
if err == errNoSuchPolicy { if err == errNoSuchPolicy {
// all policies presented in the claim should exist // all policies presented in the claim should exist

View File

@ -45,6 +45,7 @@ const (
stsAction = "Action" stsAction = "Action"
stsPolicy = "Policy" stsPolicy = "Policy"
stsToken = "Token" stsToken = "Token"
stsRoleArn = "RoleArn"
stsWebIdentityToken = "WebIdentityToken" stsWebIdentityToken = "WebIdentityToken"
stsWebIdentityAccessToken = "WebIdentityAccessToken" // only valid if UserInfo is enabled. stsWebIdentityAccessToken = "WebIdentityAccessToken" // only valid if UserInfo is enabled.
stsDurationSeconds = "DurationSeconds" stsDurationSeconds = "DurationSeconds"
@ -73,6 +74,9 @@ const (
// LDAP claim keys // LDAP claim keys
ldapUser = "ldapUser" ldapUser = "ldapUser"
ldapUserN = "ldapUsername" ldapUserN = "ldapUsername"
// Role Claim key
roleArnClaim = "roleArn"
) )
func parseOpenIDParentUser(parentUser string) (userID string, err error) { func parseOpenIDParentUser(parentUser string) (userID string, err error) {
@ -399,45 +403,42 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
} }
} }
var subFromToken string
if v, ok := m[subClaim]; ok {
subFromToken, _ = v.(string)
}
if subFromToken == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
return
}
var issFromToken string
if v, ok := m[issClaim]; ok {
issFromToken, _ = v.(string)
}
// JWT has requested a custom claim with policy value set.
// This is a MinIO STS API specific value, this value should
// be set and configured on your identity provider as part of
// JWT custom claims.
var policyName string var policyName string
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID()) roleArn := r.Form.Get(stsRoleArn)
policies := strings.Join(policySet.ToSlice(), ",") if roleArn != "" {
if ok { _, err := globalIAMSys.GetRolePolicy(roleArn)
policyName = globalIAMSys.CurrentPolicies(policies) if err != nil {
}
if globalPolicyOPA == nil {
if !ok {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID())) fmt.Errorf("Error processing %s parameter: %v", stsRoleArn, err))
return
} else if policyName == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policies))
return return
} }
// If roleArn is used, we set it as a claim, and use the
// associated policy when credentials are used.
m[roleArnClaim] = roleArn
} else {
// JWT has requested a custom claim with policy value set.
// This is a MinIO STS API specific value, this value should
// be set and configured on your identity provider as part of
// JWT custom claims.
policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
policies := strings.Join(policySet.ToSlice(), ",")
if ok {
policyName = globalIAMSys.CurrentPolicies(policies)
}
if globalPolicyOPA == nil {
if !ok {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
return
} else if policyName == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policies))
return
}
}
m[iamPolicyClaimNameOpenID()] = policyName
} }
m[iamPolicyClaimNameOpenID()] = policyName
sessionPolicyStr := r.Form.Get(stsPolicy) sessionPolicyStr := r.Form.Get(stsPolicy)
// https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html // https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
@ -476,6 +477,22 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
// this is to ensure that ParentUser doesn't change and we get to use // this is to ensure that ParentUser doesn't change and we get to use
// parentUser as per the requirements for service accounts for OpenID // parentUser as per the requirements for service accounts for OpenID
// based logins. // based logins.
var subFromToken string
if v, ok := m[subClaim]; ok {
subFromToken, _ = v.(string)
}
if subFromToken == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
return
}
var issFromToken string
if v, ok := m[issClaim]; ok {
issFromToken, _ = v.(string)
}
cred.ParentUser = "openid:" + subFromToken + ":" + issFromToken cred.ParentUser = "openid:" + subFromToken + ":" + issFromToken
// Set the newly generated credentials. // Set the newly generated credentials.

View File

@ -741,7 +741,7 @@ const (
// SetUpOpenID - expects to setup an OpenID test server using the test OpenID // SetUpOpenID - expects to setup an OpenID test server using the test OpenID
// container and canned data from https://github.com/minio/minio-ldap-testing // container and canned data from https://github.com/minio/minio-ldap-testing
func (s *TestSuiteIAM) SetUpOpenID(c *check, serverAddr string) { func (s *TestSuiteIAM) SetUpOpenID(c *check, serverAddr string, rolePolicy string) {
ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout) ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
defer cancel() defer cancel()
@ -750,10 +750,14 @@ func (s *TestSuiteIAM) SetUpOpenID(c *check, serverAddr string) {
fmt.Sprintf("config_url=%s/.well-known/openid-configuration", serverAddr), fmt.Sprintf("config_url=%s/.well-known/openid-configuration", serverAddr),
"client_id=minio-client-app", "client_id=minio-client-app",
"client_secret=minio-client-app-secret", "client_secret=minio-client-app-secret",
"claim_name=groups",
"scopes=openid,groups", "scopes=openid,groups",
"redirect_uri=http://127.0.0.1:10000/oauth_callback", "redirect_uri=http://127.0.0.1:10000/oauth_callback",
} }
if rolePolicy != "" {
configCmds = append(configCmds, fmt.Sprintf("role_policy=%s", rolePolicy))
} else {
configCmds = append(configCmds, "claim_name=groups")
}
_, err := s.adm.SetConfigKV(ctx, strings.Join(configCmds, " ")) _, err := s.adm.SetConfigKV(ctx, strings.Join(configCmds, " "))
if err != nil { if err != nil {
c.Fatalf("unable to setup OpenID for tests: %v", err) c.Fatalf("unable to setup OpenID for tests: %v", err)
@ -797,7 +801,7 @@ func TestIAMWithOpenIDServerSuite(t *testing.T) {
} }
suite.SetUpSuite(c) suite.SetUpSuite(c)
suite.SetUpOpenID(c, openIDServer) suite.SetUpOpenID(c, openIDServer, "")
suite.TestOpenIDSTS(c) suite.TestOpenIDSTS(c)
suite.TestOpenIDServiceAcc(c) suite.TestOpenIDServiceAcc(c)
suite.TearDownSuite(c) suite.TearDownSuite(c)
@ -805,3 +809,163 @@ func TestIAMWithOpenIDServerSuite(t *testing.T) {
) )
} }
} }
func TestIAMWithOpenIDWithRolePolicyServerSuite(t *testing.T) {
baseTestCases := []TestSuiteCommon{
// Init and run test on FS backend with signature v4.
{serverType: "FS", signer: signerV4},
// Init and run test on FS backend, with tls enabled.
{serverType: "FS", signer: signerV4, secure: true},
// Init and run test on Erasure backend.
{serverType: "Erasure", signer: signerV4},
// Init and run test on ErasureSet backend.
{serverType: "ErasureSet", signer: signerV4},
}
testCases := []*TestSuiteIAM{}
for _, bt := range baseTestCases {
testCases = append(testCases,
newTestSuiteIAM(bt, false),
newTestSuiteIAM(bt, true),
)
}
for i, testCase := range testCases {
etcdStr := ""
if testCase.withEtcdBackend {
etcdStr = " (with etcd backend)"
}
t.Run(
fmt.Sprintf("Test: %d, ServerType: %s%s", i+1, testCase.serverType, etcdStr),
func(t *testing.T) {
c := &check{t, testCase.serverType}
suite := testCase
openIDServer := os.Getenv(EnvTestOpenIDServer)
if openIDServer == "" {
c.Skip("Skipping OpenID test as no OpenID server is provided.")
}
suite.SetUpSuite(c)
suite.SetUpOpenID(c, openIDServer, "readwrite")
suite.TestOpenIDSTSWithRolePolicy(c)
suite.TestOpenIDServiceAccWithRolePolicy(c)
suite.TearDownSuite(c)
},
)
}
}
const (
testRoleARN = "arn:minio:iam:::role/127.0.0.1_minio-cl"
)
func (s *TestSuiteIAM) TestOpenIDSTSWithRolePolicy(c *check) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
bucket := getRandomBucketName()
err := s.client.MakeBucket(ctx, bucket, minio.MakeBucketOptions{})
if err != nil {
c.Fatalf("bucket create error: %v", err)
}
// Generate web identity STS token by interacting with OpenID IDP.
token, err := mockTestUserInteraction(ctx, testProvider, "dillon@example.io", "dillon")
if err != nil {
c.Fatalf("mock user err: %v", err)
}
webID := cr.STSWebIdentity{
Client: s.TestSuiteCommon.client,
STSEndpoint: s.endPoint,
GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
return &cr.WebIdentityToken{
Token: token,
}, nil
},
RoleARN: testRoleARN,
}
value, err := webID.Retrieve()
if err != nil {
c.Fatalf("Expected to generate STS creds, got err: %#v", err)
}
// fmt.Printf("value: %#v\n", value)
minioClient, err := minio.New(s.endpoint, &minio.Options{
Creds: cr.NewStaticV4(value.AccessKeyID, value.SecretAccessKey, value.SessionToken),
Secure: s.secure,
Transport: s.TestSuiteCommon.client.Transport,
})
if err != nil {
c.Fatalf("Error initializing client: %v", err)
}
// Validate that the client from sts creds can access the bucket.
c.mustListObjects(ctx, minioClient, bucket)
}
func (s *TestSuiteIAM) TestOpenIDServiceAccWithRolePolicy(c *check) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
bucket := getRandomBucketName()
err := s.client.MakeBucket(ctx, bucket, minio.MakeBucketOptions{})
if err != nil {
c.Fatalf("bucket create error: %v", err)
}
// Generate web identity STS token by interacting with OpenID IDP.
token, err := mockTestUserInteraction(ctx, testProvider, "dillon@example.io", "dillon")
if err != nil {
c.Fatalf("mock user err: %v", err)
}
webID := cr.STSWebIdentity{
Client: s.TestSuiteCommon.client,
STSEndpoint: s.endPoint,
GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
return &cr.WebIdentityToken{
Token: token,
}, nil
},
RoleARN: testRoleARN,
}
value, err := webID.Retrieve()
if err != nil {
c.Fatalf("Expected to generate STS creds, got err: %#v", err)
}
// Create an madmin client with user creds
userAdmClient, err := madmin.NewWithOptions(s.endpoint, &madmin.Options{
Creds: cr.NewStaticV4(value.AccessKeyID, value.SecretAccessKey, value.SessionToken),
Secure: s.secure,
})
if err != nil {
c.Fatalf("Err creating user admin client: %v", err)
}
userAdmClient.SetCustomTransport(s.TestSuiteCommon.client.Transport)
// Create svc acc
cr := c.mustCreateSvcAccount(ctx, value.AccessKeyID, userAdmClient)
// 1. Check that svc account appears in listing
c.assertSvcAccAppearsInListing(ctx, userAdmClient, value.AccessKeyID, cr.AccessKey)
// 2. Check that svc account info can be queried
c.assertSvcAccInfoQueryable(ctx, userAdmClient, value.AccessKeyID, cr.AccessKey, true)
// 3. Check S3 access
c.assertSvcAccS3Access(ctx, s, cr, bucket)
// 4. Check that svc account can restrict the policy, and that the
// session policy can be updated.
c.assertSvcAccSessionPolicyUpdate(ctx, s, userAdmClient, value.AccessKeyID, bucket)
// 4. Check that service account's secret key and account status can be
// updated.
c.assertSvcAccSecretKeyAndStatusUpdate(ctx, s, userAdmClient, value.AccessKeyID, bucket)
// 5. Check that service account can be deleted.
c.assertSvcAccDeletion(ctx, s, userAdmClient, value.AccessKeyID, bucket)
}

View File

@ -6,6 +6,14 @@ Calling AssumeRoleWithWebIdentity does not require the use of MinIO default cred
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 365 days. By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 365 days.
## Access Control Policies
MinIO's AssumeRoleWithWebIdentity supports specifying access control policies in two ways:
1. Role Policy (Recommended): When specified, all users authenticating via this API are authorized to (only) use the specified role policy. The policy to associate with such users is specified when configuring OpenID provider in the server, via the `role_policy` configuration parameter or the `MINIO_IDENTITY_OPENID_ROLE_POLICY` environment variable. The value is a comma-separated list of IAM access policy names already defined in the server. In this situation, the server prints a role ARN at startup that must be specified as a `RoleARN` API request parameter in the STS AssumeRoleWithWebIdentity API call.
2. `id_token` claims: When the role policy is not configured, MinIO looks for a specific claim in the `id_token` (JWT) returned by the OpenID provider. The default claim is `policy` and can be overridden by the `claim_name` configuration parameter or the `MINIO_IDENTITY_OPENID_CLAIM_NAME` environment variable. The claim value can be a string (comma-separated list) or an array of IAM access policy names defined in the server. A `RoleARN` API request parameter *must not* be specified in the STS AssumeRoleWithWebIdentity API call.
## API Request Parameters ## API Request Parameters
### WebIdentityToken ### WebIdentityToken
The OAuth 2.0 id_token that is provided by the web identity provider. Application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity call. The OAuth 2.0 id_token that is provided by the web identity provider. Application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity call.
@ -24,6 +32,14 @@ There are situations when identity provider does not provide user claims in `id_
| *Type* | *String* | | *Type* | *String* |
| *Required* | *No* | | *Required* | *No* |
### RoleARN
The role ARN to use. This must be specified if and only if the web identity provider is configured with a role policy.
| Params | Value |
| :-- | :-- |
| *Type* | *String* |
| *Required* | *No* |
### Version ### Version
Indicates STS API version information, the only supported value is '2011-06-15'. This value is borrowed from AWS STS API documentation for compatibility reasons. Indicates STS API version information, the only supported value is '2011-06-15'. This value is borrowed from AWS STS API documentation for compatibility reasons.

4
go.mod
View File

@ -49,7 +49,8 @@ require (
github.com/minio/highwayhash v1.0.2 github.com/minio/highwayhash v1.0.2
github.com/minio/kes v0.14.0 github.com/minio/kes v0.14.0
github.com/minio/madmin-go v1.1.16 github.com/minio/madmin-go v1.1.16
github.com/minio/minio-go/v7 v7.0.16-0.20211108161804-a7a36ee131df github.com/minio/mc v0.0.0-20211118223026-df75eed32e9e // indirect
github.com/minio/minio-go/v7 v7.0.16-0.20211117164632-e517704ccb36
github.com/minio/parquet-go v1.1.0 github.com/minio/parquet-go v1.1.0
github.com/minio/pkg v1.1.9 github.com/minio/pkg v1.1.9
github.com/minio/selfupdate v0.3.1 github.com/minio/selfupdate v0.3.1
@ -166,7 +167,6 @@ require (
github.com/minio/colorjson v1.0.1 // indirect github.com/minio/colorjson v1.0.1 // indirect
github.com/minio/direct-csi v1.3.5-0.20210601185811-f7776f7961bf // indirect github.com/minio/direct-csi v1.3.5-0.20210601185811-f7776f7961bf // indirect
github.com/minio/filepath v1.0.0 // indirect github.com/minio/filepath v1.0.0 // indirect
github.com/minio/mc v0.0.0-20211115052100-7fd441ec6c5b // indirect
github.com/minio/md5-simd v1.1.2 // indirect github.com/minio/md5-simd v1.1.2 // indirect
github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7 // indirect github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7 // indirect
github.com/minio/operator/logsearchapi v0.0.0-20211011212245-31460bbbc4b7 // indirect github.com/minio/operator/logsearchapi v0.0.0-20211011212245-31460bbbc4b7 // indirect

9
go.sum
View File

@ -1086,12 +1086,12 @@ github.com/minio/kes v0.14.0/go.mod h1:OUensXz2BpgMfiogslKxv7Anyx/wj+6bFC6qA7BQc
github.com/minio/madmin-go v1.0.12/go.mod h1:BK+z4XRx7Y1v8SFWXsuLNqQqnq5BO/axJ8IDJfgyvfs= github.com/minio/madmin-go v1.0.12/go.mod h1:BK+z4XRx7Y1v8SFWXsuLNqQqnq5BO/axJ8IDJfgyvfs=
github.com/minio/madmin-go v1.1.11-0.20211102182201-e51fd3d6b104/go.mod h1:Iu0OnrMWNBYx1lqJTW+BFjBMx0Hi0wjw8VmqhiOs2Jo= github.com/minio/madmin-go v1.1.11-0.20211102182201-e51fd3d6b104/go.mod h1:Iu0OnrMWNBYx1lqJTW+BFjBMx0Hi0wjw8VmqhiOs2Jo=
github.com/minio/madmin-go v1.1.12/go.mod h1:Iu0OnrMWNBYx1lqJTW+BFjBMx0Hi0wjw8VmqhiOs2Jo= github.com/minio/madmin-go v1.1.12/go.mod h1:Iu0OnrMWNBYx1lqJTW+BFjBMx0Hi0wjw8VmqhiOs2Jo=
github.com/minio/madmin-go v1.1.13/go.mod h1:Iu0OnrMWNBYx1lqJTW+BFjBMx0Hi0wjw8VmqhiOs2Jo= github.com/minio/madmin-go v1.1.15/go.mod h1:Iu0OnrMWNBYx1lqJTW+BFjBMx0Hi0wjw8VmqhiOs2Jo=
github.com/minio/madmin-go v1.1.16 h1:c96vQBF3W9sPXiY04rjNa06FfOmWDjeFuChuqtOzLmE= github.com/minio/madmin-go v1.1.16 h1:c96vQBF3W9sPXiY04rjNa06FfOmWDjeFuChuqtOzLmE=
github.com/minio/madmin-go v1.1.16/go.mod h1:Iu0OnrMWNBYx1lqJTW+BFjBMx0Hi0wjw8VmqhiOs2Jo= github.com/minio/madmin-go v1.1.16/go.mod h1:Iu0OnrMWNBYx1lqJTW+BFjBMx0Hi0wjw8VmqhiOs2Jo=
github.com/minio/mc v0.0.0-20211110003602-1461b652d920/go.mod h1:V8NmUfU0W3G/mrifeO6nm4CWFTiXY2nx7FJyMge/aHk= github.com/minio/mc v0.0.0-20211110003602-1461b652d920/go.mod h1:V8NmUfU0W3G/mrifeO6nm4CWFTiXY2nx7FJyMge/aHk=
github.com/minio/mc v0.0.0-20211115052100-7fd441ec6c5b h1:crCI2lSbzWzMuk/U6fMqSl5eF2V2VKDFNX+ILSD1sxU= github.com/minio/mc v0.0.0-20211118223026-df75eed32e9e h1:6EoG2tWc6y89CTX6h2jvbAaSSjd78zBKaL4U1wEJ3yA=
github.com/minio/mc v0.0.0-20211115052100-7fd441ec6c5b/go.mod h1:2fFAzMBmEYcN4mjcmQdlLuSabP+bvQC5UpqfLzRgrQQ= github.com/minio/mc v0.0.0-20211118223026-df75eed32e9e/go.mod h1:sXbvyABnNzmpnMEFT2aOexxnI8O0x802lZxbXo8aDgA=
github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw= github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw=
github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34= github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM= github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
@ -1099,8 +1099,9 @@ github.com/minio/minio-go/v7 v7.0.10/go.mod h1:td4gW1ldOsj1PbSNS+WYK43j+P1XVhX/8
github.com/minio/minio-go/v7 v7.0.11-0.20210302210017-6ae69c73ce78/go.mod h1:mTh2uJuAbEqdhMVl6CMIIZLUeiMiWtJR4JB8/5g2skw= github.com/minio/minio-go/v7 v7.0.11-0.20210302210017-6ae69c73ce78/go.mod h1:mTh2uJuAbEqdhMVl6CMIIZLUeiMiWtJR4JB8/5g2skw=
github.com/minio/minio-go/v7 v7.0.15-0.20211004160302-3b57c1e369ca/go.mod h1:pUV0Pc+hPd1nccgmzQF/EXh48l/Z/yps6QPF1aaie4g= github.com/minio/minio-go/v7 v7.0.15-0.20211004160302-3b57c1e369ca/go.mod h1:pUV0Pc+hPd1nccgmzQF/EXh48l/Z/yps6QPF1aaie4g=
github.com/minio/minio-go/v7 v7.0.15/go.mod h1:pUV0Pc+hPd1nccgmzQF/EXh48l/Z/yps6QPF1aaie4g= github.com/minio/minio-go/v7 v7.0.15/go.mod h1:pUV0Pc+hPd1nccgmzQF/EXh48l/Z/yps6QPF1aaie4g=
github.com/minio/minio-go/v7 v7.0.16-0.20211108161804-a7a36ee131df h1:7BfpVODGh5reCjIx2lUqE7CxRMjo58XJw7ZjKKNW/vc=
github.com/minio/minio-go/v7 v7.0.16-0.20211108161804-a7a36ee131df/go.mod h1:pUV0Pc+hPd1nccgmzQF/EXh48l/Z/yps6QPF1aaie4g= github.com/minio/minio-go/v7 v7.0.16-0.20211108161804-a7a36ee131df/go.mod h1:pUV0Pc+hPd1nccgmzQF/EXh48l/Z/yps6QPF1aaie4g=
github.com/minio/minio-go/v7 v7.0.16-0.20211117164632-e517704ccb36 h1:amnEPz1PuZxUUSKQvQn7E4Pd+B7tIqmqiFeuc9yy2r4=
github.com/minio/minio-go/v7 v7.0.16-0.20211117164632-e517704ccb36/go.mod h1:pUV0Pc+hPd1nccgmzQF/EXh48l/Z/yps6QPF1aaie4g=
github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7 h1:dkfuMNslMjGoJ4ArAMSoQhidYNdm3SgzLBP+f96O3/E= github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7 h1:dkfuMNslMjGoJ4ArAMSoQhidYNdm3SgzLBP+f96O3/E=
github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7/go.mod h1:lDpuz8nwsfhKlfiBaA3Z8AW019fWEAjO2gltfLbdorE= github.com/minio/operator v0.0.0-20211011212245-31460bbbc4b7/go.mod h1:lDpuz8nwsfhKlfiBaA3Z8AW019fWEAjO2gltfLbdorE=
github.com/minio/operator/logsearchapi v0.0.0-20211011212245-31460bbbc4b7 h1:vFtQqCt67ETp0JAkOKRWTKkgwFv14Vc1jJSxmQ8wJE0= github.com/minio/operator/logsearchapi v0.0.0-20211011212245-31460bbbc4b7 h1:vFtQqCt67ETp0JAkOKRWTKkgwFv14Vc1jJSxmQ8wJE0=

147
internal/arn/arn.go Normal file
View File

@ -0,0 +1,147 @@
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package arn
import (
"fmt"
"regexp"
"strings"
)
// ARN structure:
//
// arn:partition:service:region:account-id:resource-type/resource-id
//
// In this implementation, account-id is empty.
//
// Reference: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
type arnPartition string
const (
arnPartitionMinio arnPartition = "minio"
)
type arnService string
const (
arnServiceIAM arnService = "iam"
)
type arnResourceType string
const (
arnResourceTypeRole arnResourceType = "role"
)
// ARN - representation of resources based on AWS ARNs.
type ARN struct {
Partition arnPartition
Service arnService
Region string
ResourceType arnResourceType
ResourceID string
}
var (
// Allows lower-case chars, numbers, '.', '-', '_' and '/'. Starts with
// a letter or digit. At least 1 character long.
validResourceIDRegex = regexp.MustCompile(`^[a-z0-9][a-z0-9_/\.-]*$`)
)
// NewIAMRoleARN - returns an ARN for a role in MinIO.
func NewIAMRoleARN(resourceID, serverRegion string) (ARN, error) {
if !validResourceIDRegex.MatchString(resourceID) {
return ARN{}, fmt.Errorf("Invalid resource ID: %s", resourceID)
}
return ARN{
Partition: arnPartitionMinio,
Service: arnServiceIAM,
Region: serverRegion,
ResourceType: arnResourceTypeRole,
ResourceID: resourceID,
}, nil
}
// String - returns string representation of the ARN.
func (arn ARN) String() string {
return strings.Join(
[]string{
"arn",
string(arn.Partition),
string(arn.Service),
arn.Region,
"", // account-id is always empty in this implementation
string(arn.ResourceType) + "/" + arn.ResourceID,
},
":",
)
}
// Parse - parses an ARN string into a type.
func Parse(arnStr string) (arn ARN, err error) {
ps := strings.Split(arnStr, ":")
if len(ps) != 6 ||
ps[0] != "arn" {
err = fmt.Errorf("Invalid ARN string format")
return
}
if ps[1] != string(arnPartitionMinio) {
err = fmt.Errorf("Invalid ARN - bad partition field")
return
}
if ps[2] != string(arnServiceIAM) {
err = fmt.Errorf("Invalid ARN - bad service field")
return
}
// ps[3] is region and is not validated here. If the region is invalid,
// the ARN would not match any configured ARNs in the server.
if ps[4] != "" {
err = fmt.Errorf("Invalid ARN - unsupported account-id field")
return
}
res := strings.SplitN(ps[5], "/", 2)
if len(res) != 2 {
err = fmt.Errorf("Invalid ARN - resource does not contain a \"/\"")
return
}
if res[0] != string(arnResourceTypeRole) {
err = fmt.Errorf("Invalid ARN: resource type is invalid.")
return
}
if !validResourceIDRegex.MatchString(res[1]) {
err = fmt.Errorf("Invalid resource ID: %s", res[1])
return
}
arn = ARN{
Partition: arnPartitionMinio,
Service: arnServiceIAM,
Region: ps[3],
ResourceType: arnResourceTypeRole,
ResourceID: res[1],
}
return
}

View File

@ -50,6 +50,12 @@ var (
Optional: true, Optional: true,
Type: "on|off", Type: "on|off",
}, },
config.HelpKV{
Key: RolePolicy,
Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"`,
Optional: true,
Type: "string",
},
config.HelpKV{ config.HelpKV{
Key: Scopes, Key: Scopes,
Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`, Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`,
@ -98,5 +104,17 @@ var (
Optional: true, Optional: true,
Type: "sentence", Type: "sentence",
}, },
config.HelpKV{
Key: ClaimPrefix,
Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"`,
Optional: true,
Type: "string",
},
config.HelpKV{
Key: RedirectURI,
Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback`,
Optional: true,
Type: "string",
},
} }
) )

View File

@ -23,6 +23,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"io" "io"
"net"
"net/http" "net/http"
"strconv" "strconv"
"strings" "strings"
@ -30,6 +31,7 @@ import (
"time" "time"
jwtgo "github.com/golang-jwt/jwt/v4" jwtgo "github.com/golang-jwt/jwt/v4"
"github.com/minio/minio/internal/arn"
"github.com/minio/minio/internal/auth" "github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/config" "github.com/minio/minio/internal/config"
"github.com/minio/minio/internal/config/identity/openid/provider" "github.com/minio/minio/internal/config/identity/openid/provider"
@ -56,7 +58,9 @@ type Config struct {
DiscoveryDoc DiscoveryDoc DiscoveryDoc DiscoveryDoc
ClientID string ClientID string
ClientSecret string ClientSecret string
RolePolicy string
roleArn arn.ARN
provider provider.Provider provider provider.Provider
publicKeys map[string]crypto.PublicKey publicKeys map[string]crypto.PublicKey
transport *http.Transport transport *http.Transport
@ -167,6 +171,12 @@ func (r Config) ProviderEnabled() bool {
return r.Enabled && r.provider != nil return r.Enabled && r.provider != nil
} }
// GetRoleInfo - returns role ARN and policy if present, otherwise returns false
// boolean.
func (r Config) GetRoleInfo() (arn.ARN, string, bool) {
return r.roleArn, r.RolePolicy, r.RolePolicy != ""
}
// InitializeKeycloakProvider - initializes keycloak provider // InitializeKeycloakProvider - initializes keycloak provider
func (r *Config) InitializeKeycloakProvider(adminURL, realm string) error { func (r *Config) InitializeKeycloakProvider(adminURL, realm string) error {
var err error var err error
@ -366,6 +376,7 @@ const (
ClaimPrefix = "claim_prefix" ClaimPrefix = "claim_prefix"
ClientID = "client_id" ClientID = "client_id"
ClientSecret = "client_secret" ClientSecret = "client_secret"
RolePolicy = "role_policy"
Vendor = "vendor" Vendor = "vendor"
Scopes = "scopes" Scopes = "scopes"
@ -383,6 +394,7 @@ const (
EnvIdentityOpenIDClaimName = "MINIO_IDENTITY_OPENID_CLAIM_NAME" EnvIdentityOpenIDClaimName = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
EnvIdentityOpenIDClaimUserInfo = "MINIO_IDENTITY_OPENID_CLAIM_USERINFO" EnvIdentityOpenIDClaimUserInfo = "MINIO_IDENTITY_OPENID_CLAIM_USERINFO"
EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX" EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
EnvIdentityOpenIDRolePolicy = "MINIO_IDENTITY_OPENID_ROLE_POLICY"
EnvIdentityOpenIDRedirectURI = "MINIO_IDENTITY_OPENID_REDIRECT_URI" EnvIdentityOpenIDRedirectURI = "MINIO_IDENTITY_OPENID_REDIRECT_URI"
EnvIdentityOpenIDRedirectURIDynamic = "MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC" EnvIdentityOpenIDRedirectURIDynamic = "MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC"
EnvIdentityOpenIDScopes = "MINIO_IDENTITY_OPENID_SCOPES" EnvIdentityOpenIDScopes = "MINIO_IDENTITY_OPENID_SCOPES"
@ -458,6 +470,10 @@ var (
Key: ClaimUserinfo, Key: ClaimUserinfo,
Value: "", Value: "",
}, },
config.KV{
Key: RolePolicy,
Value: "",
},
config.KV{ config.KV{
Key: ClaimPrefix, Key: ClaimPrefix,
Value: "", Value: "",
@ -483,7 +499,7 @@ func Enabled(kvs config.KVS) bool {
} }
// LookupConfig lookup jwks from config, override with any ENVs. // LookupConfig lookup jwks from config, override with any ENVs.
func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser)) (c Config, err error) { func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser), serverRegion string) (c Config, err error) {
// remove this since we have removed this already. // remove this since we have removed this already.
kvs.Delete(JwksURL) kvs.Delete(JwksURL)
@ -501,16 +517,19 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
publicKeys: make(map[string]crypto.PublicKey), publicKeys: make(map[string]crypto.PublicKey),
ClientID: env.Get(EnvIdentityOpenIDClientID, kvs.Get(ClientID)), ClientID: env.Get(EnvIdentityOpenIDClientID, kvs.Get(ClientID)),
ClientSecret: env.Get(EnvIdentityOpenIDClientSecret, kvs.Get(ClientSecret)), ClientSecret: env.Get(EnvIdentityOpenIDClientSecret, kvs.Get(ClientSecret)),
RolePolicy: env.Get(EnvIdentityOpenIDRolePolicy, kvs.Get(RolePolicy)),
transport: transport, transport: transport,
closeRespFn: closeRespFn, closeRespFn: closeRespFn,
} }
configURL := env.Get(EnvIdentityOpenIDURL, kvs.Get(ConfigURL)) configURL := env.Get(EnvIdentityOpenIDURL, kvs.Get(ConfigURL))
var configURLDomain string
if configURL != "" { if configURL != "" {
c.URL, err = xnet.ParseHTTPURL(configURL) c.URL, err = xnet.ParseHTTPURL(configURL)
if err != nil { if err != nil {
return c, err return c, err
} }
configURLDomain, _, _ = net.SplitHostPort(c.URL.Host)
c.DiscoveryDoc, err = parseDiscoveryDoc(c.URL, transport, closeRespFn) c.DiscoveryDoc, err = parseDiscoveryDoc(c.URL, transport, closeRespFn)
if err != nil { if err != nil {
return c, err return c, err
@ -534,8 +553,38 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
c.DiscoveryDoc.ScopesSupported = scopes c.DiscoveryDoc.ScopesSupported = scopes
} }
if c.ClaimName == "" { // Check if claim name is the non-default value and role policy is set.
c.ClaimName = iampolicy.PolicyName if c.ClaimName != iampolicy.PolicyName && c.RolePolicy != "" {
// In the unlikely event that the user specifies
// `iampolicy.PolicyName` as the claim name explicitly and sets
// a role policy, this check is thwarted, but we will be using
// the role policy anyway.
return c, config.Errorf("Role Policy and Claim Name cannot both be set.")
}
if c.RolePolicy != "" {
// RolePolicy is valided by IAM System during its
// initialization.
// Generate role ARN as combination of provider domain and
// prefix of client ID.
domain := configURLDomain
if domain == "" {
// Attempt to parse the JWKs URI.
domain, _, _ = net.SplitHostPort(c.JWKS.URL.Host)
if domain == "" {
return c, config.Errorf("unable to generate a domain from the OpenID config.")
}
}
clientIDFragment := c.ClientID[:8]
if clientIDFragment == "" {
return c, config.Errorf("unable to get a non-empty clientID fragment from the OpenID config.")
}
resourceID := domain + "_" + clientIDFragment
c.roleArn, err = arn.NewIAMRoleARN(resourceID, serverRegion)
if err != nil {
return c, config.Errorf("unable to generate ARN from the OpenID config: %v", err)
}
} }
jwksURL := c.DiscoveryDoc.JwksURI jwksURL := c.DiscoveryDoc.JwksURI