From 9b7d593e28f9652e083a79b4c9b18df386783f85 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Tue, 17 Aug 2021 01:46:59 -0700 Subject: [PATCH] Add helper script to call assume role (#12978) --- docs/sts/assume-role.go | 143 ++++++++++++++++++++++++++++++++++++++++ docs/sts/assume-role.md | 16 ++++- 2 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 docs/sts/assume-role.go diff --git a/docs/sts/assume-role.go b/docs/sts/assume-role.go new file mode 100644 index 000000000..72fcfc333 --- /dev/null +++ b/docs/sts/assume-role.go @@ -0,0 +1,143 @@ +// +build ignore + +// Copyright (c) 2015-2021 MinIO, Inc. +// +// This file is part of MinIO Object Storage stack +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package main + +import ( + "context" + "flag" + "fmt" + "log" + "net/url" + "time" + + "github.com/minio/minio-go/v7" + cr "github.com/minio/minio-go/v7/pkg/credentials" +) + +var ( + // Minio endpoint (for STS API) + stsEndpoint string + + // User account credentials + minioUsername string + minioPassword string + + // Display credentials flag + displayCreds bool + + // Credential expiry duration + expiryDuration time.Duration + + // Bucket to list + bucketToList string + + // Session policy file (FIXME: add support in minio-go) + sessionPolicyFile string +) + +func init() { + flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint") + flag.StringVar(&minioUsername, "u", "", "MinIO Username") + flag.StringVar(&minioPassword, "p", "", "MinIO Password") + flag.BoolVar(&displayCreds, "d", false, "Only show generated credentials") + flag.DurationVar(&expiryDuration, "e", 0, "Request a duration of validity for the generated credential") + flag.StringVar(&bucketToList, "b", "", "Bucket to list (defaults to username)") + // flag.StringVar(&sessionPolicyFile, "s", "", "File containing session policy to apply to the STS request") +} + +func main() { + flag.Parse() + if minioUsername == "" || minioPassword == "" { + flag.PrintDefaults() + return + } + + // The credentials package in minio-go provides an interface to call the + // STS API. + + // Initialize credential options + var stsOpts cr.STSAssumeRoleOptions + stsOpts.AccessKey = minioUsername + stsOpts.SecretKey = minioPassword + // FIXME: add support for passing this in minio-go + // if sessionPolicyFile != "" { + // var policy string + // if f, err := os.Open(sessionPolicyFile); err != nil { + // log.Fatalf("Unable to open session policy file: %v", sessionPolicyFile, err) + // } else { + // bs, err := ioutil.ReadAll(f) + // if err != nil { + // log.Fatalf("Error reading session policy file: %v", err) + // } + // policy = string(bs) + // } + // opts + // ldapOpts = append(ldapOpts, cr.LDAPIdentityPolicyOpt(policy)) + // } + if expiryDuration != 0 { + stsOpts.DurationSeconds = int(expiryDuration.Seconds()) + } + li, err := cr.NewSTSAssumeRole(stsEndpoint, stsOpts) + if err != nil { + log.Fatalf("Error initializing STS Identity: %v", err) + } + + stsEndpointURL, err := url.Parse(stsEndpoint) + if err != nil { + log.Fatalf("Error parsing sts endpoint: %v", err) + } + + opts := &minio.Options{ + Creds: li, + Secure: stsEndpointURL.Scheme == "https", + } + + v, err := li.Get() + if err != nil { + log.Fatalf("Error retrieving STS credentials: %v", err) + } + + if displayCreds { + fmt.Println("Only displaying credentials:") + fmt.Println("AccessKeyID:", v.AccessKeyID) + fmt.Println("SecretAccessKey:", v.SecretAccessKey) + fmt.Println("SessionToken:", v.SessionToken) + return + } + + // Use generated credentials to authenticate with MinIO server + minioClient, err := minio.New(stsEndpointURL.Host, opts) + if err != nil { + log.Fatalf("Error initializing client: ", err) + } + + // Use minIO Client object normally like the regular client. + if bucketToList == "" { + bucketToList = minioUsername + } + fmt.Printf("Calling list objects on bucket named `%s` with temp creds:\n===\n", bucketToList) + objCh := minioClient.ListObjects(context.Background(), bucketToList, minio.ListObjectsOptions{}) + for obj := range objCh { + if obj.Err != nil { + log.Fatalf("Listing error: %v", obj.Err) + } + fmt.Printf("Key: %s\nSize: %d\nLast Modified: %s\n===\n", obj.Key, obj.Size, obj.LastModified) + } +} diff --git a/docs/sts/assume-role.md b/docs/sts/assume-role.md index f069abce7..60fc6df15 100644 --- a/docs/sts/assume-role.md +++ b/docs/sts/assume-role.md @@ -81,7 +81,7 @@ $ minio server ~/test Create new users following the multi-user guide [here](https://docs.min.io/docs/minio-multi-user-quickstart-guide.html) -Testing with an example +### Testing an example with awscli tool > Use the same username and password created in the previous steps. ``` @@ -108,6 +108,20 @@ $ aws --profile foobar --endpoint-url http://localhost:9000 sts assume-role --po } ``` +### Testing an example with `assume-role.go` + +The included program in this directory can also be used for testing: + + +``` shell +$ go run assume-role.go -u foobar -p foo12345 -d +Only displaying credentials: +AccessKeyID: 27YDRYEM0S9B44AJJX9X +SecretAccessKey: LHPdHeaLiYk+pDZ3hgN3sdwXpJC2qbhBfZ8ii9Z3 +SessionToken: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiIyN1lEUllFTTBTOUI0NEFKSlg5WCIsImV4cCI6MzYwMDAwMDAwMDAwMCwicG9saWN5IjoiY29uc29sZUFkbWluIn0.2d9t0UOm1jQmwe31_5CyN63f6CL-fhqZSO-XhZIp-NH5QteWv9oSMjIrcNWzMgNDblrUfAZ0JSs8a1ciLQF9Ww + +``` + ## Explore Further - [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html) - [The MinIO documentation website](https://docs.min.io)