feat: allow service accounts to be generated with OpenID STS (#10184)

Bonus also fix a bug where we did not purge relevant service accounts generated by rotating credentials appropriately, service accounts should become invalid as soon as its corresponding parent user becomes invalid. Since service account themselves carry parent claim always we would never reach this problem, as the access get rejected at IAM policy layer.
2025-11-09 21:49:46 -05:00 · 2020-08-05 13:08:40 -07:00
parent cd04600862
commit e656beb915
4 changed files with 38 additions and 11 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -26,6 +26,7 @@ import (
 	"strings"
 	"time"

+	humanize "github.com/dustin/go-humanize"
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/minio/cmd/config"
 	"github.com/minio/minio/cmd/logger"
@@ -929,7 +930,7 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, ses
 		if err != nil {
 			return auth.Credentials{}, err
 		}
-		if len(policyBuf) > 16*1024 {
+		if len(policyBuf) > 16*humanize.KiByte {
 			return auth.Credentials{}, fmt.Errorf("Session policy should not exceed 16 KiB characters")
 		}
 	}
@@ -951,14 +952,6 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, ses
 		return auth.Credentials{}, errIAMActionNotAllowed
 	}

-	// FIXME: Disallow temporary users with no parent, this is most
-	// probably with OpenID which we don't support to provide
-	// any parent user, LDAPUsersType and MinIOUsersType are
-	// currently supported.
-	if cr.ParentUser == "" && cr.IsTemp() {
-		return auth.Credentials{}, errIAMActionNotAllowed
-	}
-
 	m := make(map[string]interface{})
 	m[parentClaim] = parentUser