Introduce STS client grants API and OPA policy integration (#6168)

This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks
2025-11-09 05:34:56 -05:00 · 2018-10-09 14:00:01 -07:00
parent 16a100b597
commit 54ae364def
76 changed files with 7249 additions and 713 deletions
--- a/cmd/signature-v4-utils.go
+++ b/cmd/signature-v4-utils.go
@@ -100,6 +100,23 @@ func isValidRegion(reqRegion string, confRegion string) bool {
 	return reqRegion == confRegion
 }

+// check if the access key is valid and recognized, additionally
+// also returns if the access key is owner/admin.
+func checkKeyValid(accessKey string) (bool, APIErrorCode) {
+	var owner = true
+	if globalServerConfig.GetCredential().AccessKey != accessKey {
+		if globalIAMSys == nil {
+			return false, ErrInvalidAccessKeyID
+		}
+		// Check if the access key is part of users credentials.
+		if _, ok := globalIAMSys.GetUser(accessKey); !ok {
+			return false, ErrInvalidAccessKeyID
+		}
+		owner = false
+	}
+	return owner, ErrNone
+}
+
 // sumHMAC calculate hmac between two input byte array.
 func sumHMAC(key []byte, data []byte) []byte {
 	hash := hmac.New(sha256.New, key)