mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Add ToC for all STS API docs (#8318)
This commit is contained in:
parent
c28405a5c2
commit
f3022e891d
@ -1,4 +1,22 @@
|
||||
## AssumeRole [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
|
||||
# AssumeRole [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
|
||||
|
||||
**Table of Contents**
|
||||
|
||||
- [Introduction](#introduction)
|
||||
- [API Request Parameters](#api-request-parameters)
|
||||
- [Version](#version)
|
||||
- [AUTHPARAMS](#authparams)
|
||||
- [DurationSeconds](#durationseconds)
|
||||
- [Policy](#policy)
|
||||
- [Response Elements](#response-elements)
|
||||
- [Errors](#errors)
|
||||
- [Sample Request](#sample-request)
|
||||
- [Sample Response](#sample-response)
|
||||
- [Testing](#testing)
|
||||
|
||||
|
||||
## Introduction
|
||||
|
||||
Returns a set of temporary security credentials that you can use to access MinIO resources. AssumeRole requires authorization credentials for an existing user on MinIO. The advantages of this API are
|
||||
|
||||
- To be able to reliably use S3 multipart APIs feature of the SDKs without re-inventing the wheel of pre-signing the each URL in multipart API. This is very tedious to implement with all the scenarios of fault tolerance that's already implemented by the client SDK. The general client SDKs don't support multipart with presigned URLs.
|
||||
@ -6,8 +24,8 @@ Returns a set of temporary security credentials that you can use to access MinIO
|
||||
|
||||
The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations. The policy applied to these temporary credentials is inherited from the MinIO user credentials. By default, the temporary security credentials created by AssumeRole last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration to 12 hours.
|
||||
|
||||
### API Request Parameters
|
||||
#### Version
|
||||
## API Request Parameters
|
||||
### Version
|
||||
Indicates STS API version information, the only supported value is '2011-06-15'. This value is borrowed from AWS STS API documentation for compatibility reasons.
|
||||
|
||||
| Params | Value |
|
||||
@ -15,10 +33,10 @@ Indicates STS API version information, the only supported value is '2011-06-15'.
|
||||
| *Type* | *String* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
#### AUTHPARAMS
|
||||
### AUTHPARAMS
|
||||
Indicates STS API Authorization information. If you are familiar with AWS Signature V4 Authorization header, this STS API supports signature V4 authorization as mentioned [here](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)
|
||||
|
||||
#### DurationSeconds
|
||||
### DurationSeconds
|
||||
The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 12 hours. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds.
|
||||
|
||||
| Params | Value |
|
||||
@ -27,7 +45,7 @@ The duration, in seconds. The value can range from 900 seconds (15 minutes) up t
|
||||
| *Valid Range* | *Minimum value of 900. Maximum value of 43200.* |
|
||||
| *Required* | *No* |
|
||||
|
||||
#### Policy
|
||||
### Policy
|
||||
An IAM policy in JSON format that you want to use as an inline session policy. This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the canned policy name and the policy set here. You cannot use this policy to grant more permissions than those allowed by the canned policy name being assumed.
|
||||
|
||||
| Params | Value |
|
||||
@ -36,18 +54,18 @@ An IAM policy in JSON format that you want to use as an inline session policy. T
|
||||
| *Valid Range* | *Minimum length of 1. Maximum length of 2048.* |
|
||||
| *Required* | *No* |
|
||||
|
||||
#### Response Elements
|
||||
### Response Elements
|
||||
XML response for this API is similar to [AWS STS AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_ResponseElements)
|
||||
|
||||
#### Errors
|
||||
### Errors
|
||||
XML error response for this API is similar to [AWS STS AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_Errors)
|
||||
|
||||
#### Sample Request
|
||||
## Sample Request
|
||||
```
|
||||
http://minio:9000/?Action=AssumeRole&DurationSeconds=3600&Version=2011-06-15&Policy={"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::*"}]}&AUTHPARAMS
|
||||
```
|
||||
|
||||
#### Sample Response
|
||||
## Sample Response
|
||||
```
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
|
||||
@ -69,7 +87,7 @@ http://minio:9000/?Action=AssumeRole&DurationSeconds=3600&Version=2011-06-15&Pol
|
||||
</AssumeRoleResponse>
|
||||
```
|
||||
|
||||
#### Testing
|
||||
## Testing
|
||||
```
|
||||
$ export MINIO_ACCESS_KEY=minio
|
||||
$ export MINIO_SECRET_KEY=minio123
|
||||
|
@ -1,12 +1,29 @@
|
||||
## AssumeRoleWithClientGrants [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
|
||||
# AssumeRoleWithClientGrants [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
|
||||
|
||||
**Table of Contents**
|
||||
|
||||
- [Introduction](#introduction)
|
||||
- [API Request Parameters](#api-request-parameters)
|
||||
- [Token](#token)
|
||||
- [Version](#version)
|
||||
- [DurationSeconds](#durationseconds)
|
||||
- [Policy](#policy)
|
||||
- [Response Elements](#response-elements)
|
||||
- [Errors](#errors)
|
||||
- [Sample Request](#sample-request)
|
||||
- [Sample Response](#sample-response)
|
||||
- [Testing](#testing)
|
||||
|
||||
## Introduction
|
||||
|
||||
Returns a set of temporary security credentials for applications/clients who have been authenticated through client credential grants provided by identity provider. Example providers include WSO2, KeyCloak etc.
|
||||
|
||||
Calling AssumeRoleWithClientGrants does not require the use of MinIO default credentials. Therefore, client application can be distributed that requests temporary security credentials without including MinIO default credentials. Instead, the identity of the caller is validated by using a JWT access token from the identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations.
|
||||
|
||||
By default, the temporary security credentials created by AssumeRoleWithClientGrants last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration to 12 hours.
|
||||
|
||||
### API Request Parameters
|
||||
#### Token
|
||||
## API Request Parameters
|
||||
### Token
|
||||
The OAuth 2.0 access token that is provided by the identity provider. Application must get this token by authenticating the application using client credential grants before the application makes an AssumeRoleWithClientGrants call.
|
||||
|
||||
| Params | Value |
|
||||
@ -15,7 +32,7 @@ The OAuth 2.0 access token that is provided by the identity provider. Applicatio
|
||||
| *Length Constraints* | *Minimum length of 4. Maximum length of 2048.* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
#### Version
|
||||
### Version
|
||||
Indicates STS API version information, the only supported value is '2011-06-15'. This value is borrowed from AWS STS API documentation for compatibility reasons.
|
||||
|
||||
| Params | Value |
|
||||
@ -23,7 +40,7 @@ Indicates STS API version information, the only supported value is '2011-06-15'.
|
||||
| *Type* | *String* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
#### DurationSeconds
|
||||
### DurationSeconds
|
||||
The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 12 hours. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds.
|
||||
|
||||
| Params | Value |
|
||||
@ -32,7 +49,7 @@ The duration, in seconds. The value can range from 900 seconds (15 minutes) up t
|
||||
| *Valid Range* | *Minimum value of 900. Maximum value of 43200.* |
|
||||
| *Required* | *No* |
|
||||
|
||||
#### Policy
|
||||
### Policy
|
||||
An IAM policy in JSON format that you want to use as an inline session policy. This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the canned policy name and the policy set here. You cannot use this policy to grant more permissions than those allowed by the canned policy name being assumed.
|
||||
|
||||
| Params | Value |
|
||||
@ -41,18 +58,18 @@ An IAM policy in JSON format that you want to use as an inline session policy. T
|
||||
| *Valid Range* | *Minimum length of 1. Maximum length of 2048.* |
|
||||
| *Required* | *No* |
|
||||
|
||||
#### Response Elements
|
||||
### Response Elements
|
||||
XML response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_ResponseElements)
|
||||
|
||||
#### Errors
|
||||
### Errors
|
||||
XML error response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_Errors)
|
||||
|
||||
#### Sample Request
|
||||
## Sample Request
|
||||
```
|
||||
http://minio.cluster:9000?Action=AssumeRoleWithClientGrants&DurationSeconds=3600&Token=eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiYXpwIjoiUG9FZ1hQNnVWTzQ1SXNFTlJuZ0RYajVBdTVZYSIsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTU0MTgwOTU4MiwiaWF0IjoxNTQxODA1OTgyLCJqdGkiOiI2Y2YyMGIwZS1lNGZmLTQzZmQtYTdiYS1kYTc3YTE3YzM2MzYifQ.Jm29jPliRvrK6Os34nSK3rhzIYLFjE__zdVGNng3uGKXGKzP3We_i6NPnhA0szJXMOKglXzUF1UgSz8MctbaxFS8XDusQPVe4LkB_45hwBm6TmBxzui911nt-1RbBLN_jZIlvl2lPrbTUH5hSn9kEkph6seWanTNQpz9tNEoVa6R_OX3kpJqxe8tLQUWw453A1JTwFNhdHa6-f1K8_Q_eEZ_4gOYINQ9t_fhTibdbkXZkJQFLop-Jwoybi9s4nwQU_dATocgcufq5eCeNItQeleT-23lGxIz0X7CiJrJynYLdd-ER0F77SumqEb5iCxhxuf4H7dovwd1kAmyKzLxpw&Version=2011-06-15
|
||||
```
|
||||
|
||||
#### Sample Response
|
||||
## Sample Response
|
||||
```
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<AssumeRoleWithClientGrantsResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
|
||||
@ -72,7 +89,7 @@ http://minio.cluster:9000?Action=AssumeRoleWithClientGrants&DurationSeconds=3600
|
||||
</AssumeRoleWithClientGrantsResponse>
|
||||
```
|
||||
|
||||
#### Testing
|
||||
## Testing
|
||||
```
|
||||
$ export MINIO_ACCESS_KEY=minio
|
||||
$ export MINIO_SECRET_KEY=minio123
|
||||
|
213
docs/sts/ldap.md
213
docs/sts/ldap.md
@ -1,5 +1,26 @@
|
||||
# MinIO AD/LDAP Integration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
|
||||
|
||||
**Table of Contents**
|
||||
|
||||
- [Introduction](#introduction)
|
||||
- [Configuring AD/LDAP on MinIO](#configuring-adldap-on-minio)
|
||||
- [Variable substitution in AD/LDAP configuration strings](#variable-substitution-in-adldap-configuration-strings)
|
||||
- [Notes on configuring with Microsoft Active Directory (AD)](#notes-on-configuring-with-microsoft-active-directory-ad)
|
||||
- [Managing User/Group Access Policy](#managing-usergroup-access-policy)
|
||||
- [API Request Parameters](#api-request-parameters)
|
||||
- [LDAPUsername](#ldapusername)
|
||||
- [LDAPPassword](#ldappassword)
|
||||
- [Version](#version)
|
||||
- [Policy](#policy)
|
||||
- [Response Elements](#response-elements)
|
||||
- [Errors](#errors)
|
||||
- [Sample Request](#sample-request)
|
||||
- [Sample Response](#sample-response)
|
||||
- [Testing](#testing)
|
||||
|
||||
|
||||
## Introduction
|
||||
|
||||
MinIO provides a custom STS API that allows integration with LDAP based corporate environments. The flow is as follows:
|
||||
|
||||
1. User provides their AD/LDAP username and password to the STS API.
|
||||
@ -54,7 +75,7 @@ The **MINIO_IDENTITY_LDAP_USERNAME_FORMAT** environment variable supports substi
|
||||
|
||||
The **MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER** and **MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN** environment variables support substitution of the *username* and *usernamedn* variables only.
|
||||
|
||||
## Notes on configuring with Microsoft Active Directory (AD)
|
||||
### Notes on configuring with Microsoft Active Directory (AD)
|
||||
|
||||
The LDAP STS API also works with Microsoft AD and can be configured as above. The following are some notes on determining the values of the configuration parameters described above.
|
||||
|
||||
@ -92,101 +113,6 @@ MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${username
|
||||
MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE='cn'
|
||||
```
|
||||
|
||||
## STS API Parameters
|
||||
|
||||
### Request Parameters
|
||||
|
||||
#### LDAPUsername
|
||||
Is AD/LDAP username to login. Application must ask user for this value to successfully obtain rotating access credentials from AssumeRoleWithLDAPIdentity.
|
||||
|
||||
| Params | Value |
|
||||
| :-- | :-- |
|
||||
| *Type* | *String* |
|
||||
| *Length Constraints* | *Minimum length of 2. Maximum length of 2048.* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
|
||||
#### LDAPPassword
|
||||
Is AD/LDAP username password to login. Application must ask user for this value to successfully obtain rotating access credentials from AssumeRoleWithLDAPIdentity.
|
||||
|
||||
| Params | Value |
|
||||
| :-- | :-- |
|
||||
| *Type* | *String* |
|
||||
| *Length Constraints* | *Minimum length of 4. Maximum length of 2048.* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
#### Version
|
||||
Indicates STS API version information, the only supported value is '2011-06-15'. This value is borrowed from AWS STS API documentation for compatibility reasons.
|
||||
|
||||
| Params | Value |
|
||||
| :-- | :-- |
|
||||
| *Type* | *String* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
#### Policy
|
||||
An IAM policy in JSON format that you want to use as an inline session policy. This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the canned policy name and the policy set here. You cannot use this policy to grant more permissions than those allowed by the canned policy name being assumed.
|
||||
|
||||
| Params | Value |
|
||||
| :-- | :-- |
|
||||
| *Type* | *String* |
|
||||
| *Valid Range* | *Minimum length of 1. Maximum length of 2048.* |
|
||||
| *Required* | *No* |
|
||||
|
||||
### Response Elements
|
||||
XML response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_ResponseElements)
|
||||
|
||||
### Errors
|
||||
XML error response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_Errors)
|
||||
|
||||
### Sample Request
|
||||
```
|
||||
http://minio.cluster:9000?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=foouser&LDAPPassword=foouserpassword&Version=2011-06-15
|
||||
```
|
||||
|
||||
### Sample Response
|
||||
```
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<AssumeRoleWithLDAPIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
|
||||
<AssumeRoleWithLDAPIdentityResult>
|
||||
<AssumedRoleUser>
|
||||
<Arn/>
|
||||
<AssumeRoleId/>
|
||||
</AssumedRoleUser>
|
||||
<Credentials>
|
||||
<AccessKeyId>Y4RJU1RNFGK48LGO9I2S</AccessKeyId>
|
||||
<SecretAccessKey>sYLRKS1Z7hSjluf6gEbb9066hnx315wHTiACPAjg</SecretAccessKey>
|
||||
<Expiration>2019-08-08T20:26:12Z</Expiration>
|
||||
<SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJZNFJKVTFSTkZHSzQ4TEdPOUkyUyIsImF1ZCI6IlBvRWdYUDZ1Vk80NUlzRU5SbmdEWGo1QXU1WWEiLCJhenAiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiZXhwIjoxNTQxODExMDcxLCJpYXQiOjE1NDE4MDc0NzEsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIiwianRpIjoiYTBiMjc2MjktZWUxYS00M2JmLTg3MzktZjMzNzRhNGNkYmMwIn0.ewHqKVFTaP-j_kgZrcOEKroNUjk10GEp8bqQjxBbYVovV0nHO985VnRESFbcT6XMDDKHZiWqN2vi_ETX_u3Q-w</SessionToken>
|
||||
</Credentials>
|
||||
</AssumeRoleWithLDAPIdentity>
|
||||
<ResponseMetadata/>
|
||||
</AssumeRoleWithLDAPIdentityResponse>
|
||||
```
|
||||
|
||||
### Testing
|
||||
```
|
||||
$ export MINIO_ACCESS_KEY=minio
|
||||
$ export MINIO_SECRET_KEY=minio123
|
||||
$ export MINIO_IDENTITY_LDAP_SERVER_ADDR='ldaps://my.ldap-active-dir-server.com:636'
|
||||
$ export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=${username},cn=users,dc=minioad,dc=local'
|
||||
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local'
|
||||
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${usernamedn}))'
|
||||
$ export MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE='cn'
|
||||
$ minio server ~/test
|
||||
```
|
||||
|
||||
```
|
||||
$ go run ldap.go -u foouser -p foopassword
|
||||
|
||||
##### Credentials
|
||||
{
|
||||
"accessKey": "NUIBORZYTV2HG2BMRSXR",
|
||||
"secretKey": "qQlP5O7CFPc5m5IXf1vYhuVTFj7BRVJqh0FqZ86S",
|
||||
"expiration": "2018-08-21T17:10:29-07:00",
|
||||
"sessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJOVUlCT1JaWVRWMkhHMkJNUlNYUiIsImF1ZCI6IlBvRWdYUDZ1Vk80NUlzRU5SbmdEWGo1QXU1WWEiLCJhenAiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiZXhwIjoxNTM0ODk2NjI5LCJpYXQiOjE1MzQ4OTMwMjksImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIiwianRpIjoiNjY2OTZjZTctN2U1Ny00ZjU5LWI0MWQtM2E1YTMzZGZiNjA4In0.eJONnVaSVHypiXKEARSMnSKgr-2mlC2Sr4fEGJitLcJF_at3LeNdTHv0_oHsv6ZZA3zueVGgFlVXMlREgr9LXA"
|
||||
}
|
||||
```
|
||||
|
||||
## Managing User/Group Access Policy
|
||||
|
||||
Access policies may be configured on a group or on a user directly. Access policies are first defined on the MinIO server using IAM policy JSON syntax. The `mc` tool is used to issue the necessary commands.
|
||||
@ -210,3 +136,98 @@ mc admin policy set myminio mypolicy group=bigdatausers
|
||||
```
|
||||
|
||||
**Please note that when AD/LDAP is configured, MinIO will not support long term users defined internally.** Only AD/LDAP users are allowed. In addition to this, the server will not support operations on users or groups using `mc admin user` or `mc admin group` commands except `mc admin user info` and `mc admin group info` to list set policies for users and groups. This is because users and groups are defined externally in AD/LDAP.
|
||||
|
||||
|
||||
## API Request Parameters
|
||||
|
||||
### LDAPUsername
|
||||
Is AD/LDAP username to login. Application must ask user for this value to successfully obtain rotating access credentials from AssumeRoleWithLDAPIdentity.
|
||||
|
||||
| Params | Value |
|
||||
| :-- | :-- |
|
||||
| *Type* | *String* |
|
||||
| *Length Constraints* | *Minimum length of 2. Maximum length of 2048.* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
|
||||
### LDAPPassword
|
||||
Is AD/LDAP username password to login. Application must ask user for this value to successfully obtain rotating access credentials from AssumeRoleWithLDAPIdentity.
|
||||
|
||||
| Params | Value |
|
||||
| :-- | :-- |
|
||||
| *Type* | *String* |
|
||||
| *Length Constraints* | *Minimum length of 4. Maximum length of 2048.* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
### Version
|
||||
Indicates STS API version information, the only supported value is '2011-06-15'. This value is borrowed from AWS STS API documentation for compatibility reasons.
|
||||
|
||||
| Params | Value |
|
||||
| :-- | :-- |
|
||||
| *Type* | *String* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
### Policy
|
||||
An IAM policy in JSON format that you want to use as an inline session policy. This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the canned policy name and the policy set here. You cannot use this policy to grant more permissions than those allowed by the canned policy name being assumed.
|
||||
|
||||
| Params | Value |
|
||||
| :-- | :-- |
|
||||
| *Type* | *String* |
|
||||
| *Valid Range* | *Minimum length of 1. Maximum length of 2048.* |
|
||||
| *Required* | *No* |
|
||||
|
||||
### Response Elements
|
||||
XML response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_ResponseElements)
|
||||
|
||||
### Errors
|
||||
XML error response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_Errors)
|
||||
|
||||
## Sample Request
|
||||
```
|
||||
http://minio.cluster:9000?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=foouser&LDAPPassword=foouserpassword&Version=2011-06-15
|
||||
```
|
||||
|
||||
## Sample Response
|
||||
```
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<AssumeRoleWithLDAPIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
|
||||
<AssumeRoleWithLDAPIdentityResult>
|
||||
<AssumedRoleUser>
|
||||
<Arn/>
|
||||
<AssumeRoleId/>
|
||||
</AssumedRoleUser>
|
||||
<Credentials>
|
||||
<AccessKeyId>Y4RJU1RNFGK48LGO9I2S</AccessKeyId>
|
||||
<SecretAccessKey>sYLRKS1Z7hSjluf6gEbb9066hnx315wHTiACPAjg</SecretAccessKey>
|
||||
<Expiration>2019-08-08T20:26:12Z</Expiration>
|
||||
<SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJZNFJKVTFSTkZHSzQ4TEdPOUkyUyIsImF1ZCI6IlBvRWdYUDZ1Vk80NUlzRU5SbmdEWGo1QXU1WWEiLCJhenAiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiZXhwIjoxNTQxODExMDcxLCJpYXQiOjE1NDE4MDc0NzEsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIiwianRpIjoiYTBiMjc2MjktZWUxYS00M2JmLTg3MzktZjMzNzRhNGNkYmMwIn0.ewHqKVFTaP-j_kgZrcOEKroNUjk10GEp8bqQjxBbYVovV0nHO985VnRESFbcT6XMDDKHZiWqN2vi_ETX_u3Q-w</SessionToken>
|
||||
</Credentials>
|
||||
</AssumeRoleWithLDAPIdentity>
|
||||
<ResponseMetadata/>
|
||||
</AssumeRoleWithLDAPIdentityResponse>
|
||||
```
|
||||
|
||||
## Testing
|
||||
```
|
||||
$ export MINIO_ACCESS_KEY=minio
|
||||
$ export MINIO_SECRET_KEY=minio123
|
||||
$ export MINIO_IDENTITY_LDAP_SERVER_ADDR='ldaps://my.ldap-active-dir-server.com:636'
|
||||
$ export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='cn=${username},cn=users,dc=minioad,dc=local'
|
||||
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN='dc=minioad,dc=local'
|
||||
$ export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER='(&(objectclass=group)(member=${usernamedn}))'
|
||||
$ export MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE='cn'
|
||||
$ minio server ~/test
|
||||
```
|
||||
|
||||
```
|
||||
$ go run ldap.go -u foouser -p foopassword
|
||||
|
||||
##### Credentials
|
||||
{
|
||||
"accessKey": "NUIBORZYTV2HG2BMRSXR",
|
||||
"secretKey": "qQlP5O7CFPc5m5IXf1vYhuVTFj7BRVJqh0FqZ86S",
|
||||
"expiration": "2018-08-21T17:10:29-07:00",
|
||||
"sessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJOVUlCT1JaWVRWMkhHMkJNUlNYUiIsImF1ZCI6IlBvRWdYUDZ1Vk80NUlzRU5SbmdEWGo1QXU1WWEiLCJhenAiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiZXhwIjoxNTM0ODk2NjI5LCJpYXQiOjE1MzQ4OTMwMjksImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIiwianRpIjoiNjY2OTZjZTctN2U1Ny00ZjU5LWI0MWQtM2E1YTMzZGZiNjA4In0.eJONnVaSVHypiXKEARSMnSKgr-2mlC2Sr4fEGJitLcJF_at3LeNdTHv0_oHsv6ZZA3zueVGgFlVXMlREgr9LXA"
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -1,10 +1,28 @@
|
||||
## AssumeRoleWithWebIdentity [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
|
||||
# AssumeRoleWithWebIdentity [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
|
||||
|
||||
**Table of Contents**
|
||||
|
||||
- [Introduction](#introduction)
|
||||
- [API Request Parameters](#api-request-parameters)
|
||||
- [WebIdentityToken](#webidentitytoken)
|
||||
- [Version](#version)
|
||||
- [DurationSeconds](#durationseconds)
|
||||
- [Policy](#policy)
|
||||
- [Response Elements](#response-elements)
|
||||
- [Errors](#errors)
|
||||
- [Sample Request](#sample-request)
|
||||
- [Sample Response](#sample-response)
|
||||
- [Testing](#testing)
|
||||
- [Authorization Flow](#authorization-flow)
|
||||
|
||||
## Introduction
|
||||
|
||||
Calling AssumeRoleWithWebIdentity does not require the use of MinIO default credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including MinIO default credentials in the application. Instead, the identity of the caller is validated by using a JWT access token from the web identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations.
|
||||
|
||||
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration to 12 hours.
|
||||
|
||||
### API Request Parameters
|
||||
#### WebIdentityToken
|
||||
## API Request Parameters
|
||||
### WebIdentityToken
|
||||
The OAuth 2.0 access token that is provided by the web identity provider. Application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity call.
|
||||
|
||||
| Params | Value |
|
||||
@ -13,7 +31,7 @@ The OAuth 2.0 access token that is provided by the web identity provider. Applic
|
||||
| *Length Constraints* | *Minimum length of 4. Maximum length of 2048.* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
#### Version
|
||||
### Version
|
||||
Indicates STS API version information, the only supported value is '2011-06-15'. This value is borrowed from AWS STS API documentation for compatibility reasons.
|
||||
|
||||
| Params | Value |
|
||||
@ -21,7 +39,7 @@ Indicates STS API version information, the only supported value is '2011-06-15'.
|
||||
| *Type* | *String* |
|
||||
| *Required* | *Yes* |
|
||||
|
||||
#### DurationSeconds
|
||||
### DurationSeconds
|
||||
The duration, in seconds. The value can range from 900 seconds (15 minutes) up to 12 hours. If value is higher than this setting, then operation fails. By default, the value is set to 3600 seconds.
|
||||
|
||||
| Params | Value |
|
||||
@ -30,7 +48,7 @@ The duration, in seconds. The value can range from 900 seconds (15 minutes) up t
|
||||
| *Valid Range* | *Minimum value of 900. Maximum value of 43200.* |
|
||||
| *Required* | *No* |
|
||||
|
||||
#### Policy
|
||||
### Policy
|
||||
An IAM policy in JSON format that you want to use as an inline session policy. This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the canned policy name and the policy set here. You cannot use this policy to grant more permissions than those allowed by the canned policy name being assumed.
|
||||
|
||||
| Params | Value |
|
||||
@ -39,18 +57,18 @@ An IAM policy in JSON format that you want to use as an inline session policy. T
|
||||
| *Valid Range* | *Minimum length of 1. Maximum length of 2048.* |
|
||||
| *Required* | *No* |
|
||||
|
||||
#### Response Elements
|
||||
### Response Elements
|
||||
XML response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_ResponseElements)
|
||||
|
||||
#### Errors
|
||||
### Errors
|
||||
XML error response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_Errors)
|
||||
|
||||
#### Sample Request
|
||||
## Sample Request
|
||||
```
|
||||
http://minio.cluster:9000?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&WebIdentityToken=eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiYXpwIjoiUG9FZ1hQNnVWTzQ1SXNFTlJuZ0RYajVBdTVZYSIsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTU0MTgwOTU4MiwiaWF0IjoxNTQxODA1OTgyLCJqdGkiOiI2Y2YyMGIwZS1lNGZmLTQzZmQtYTdiYS1kYTc3YTE3YzM2MzYifQ.Jm29jPliRvrK6Os34nSK3rhzIYLFjE__zdVGNng3uGKXGKzP3We_i6NPnhA0szJXMOKglXzUF1UgSz8MctbaxFS8XDusQPVe4LkB_45hwBm6TmBxzui911nt-1RbBLN_jZIlvl2lPrbTUH5hSn9kEkph6seWanTNQpz9tNEoVa6R_OX3kpJqxe8tLQUWw453A1JTwFNhdHa6-f1K8_Q_eEZ_4gOYINQ9t_fhTibdbkXZkJQFLop-Jwoybi9s4nwQU_dATocgcufq5eCeNItQeleT-23lGxIz0X7CiJrJynYLdd-ER0F77SumqEb5iCxhxuf4H7dovwd1kAmyKzLxpw&Version=2011-06-15
|
||||
```
|
||||
|
||||
#### Sample Response
|
||||
## Sample Response
|
||||
```
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
|
||||
@ -70,7 +88,7 @@ http://minio.cluster:9000?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&
|
||||
</AssumeRoleWithWebIdentityResponse>
|
||||
```
|
||||
|
||||
#### Testing
|
||||
## Testing
|
||||
```
|
||||
$ export MINIO_ACCESS_KEY=minio
|
||||
$ export MINIO_SECRET_KEY=minio123
|
||||
@ -96,7 +114,7 @@ $ go run web-identity.go -cid 204367807228-ok7601k6gj1pgge7m09h7d79co8p35xx.apps
|
||||
2018/12/26 17:49:36 listening on http://localhost:8080/
|
||||
```
|
||||
|
||||
### Authorization Flow
|
||||
## Authorization Flow
|
||||
|
||||
- Visit http://localhost:8080, login will direct the user to the Google OAuth2 Auth URL to obtain a permission grant.
|
||||
- The redirection URI (callback handler) receives the OAuth2 callback, verifies the state parameter, and obtains a Token.
|
||||
|
Loading…
Reference in New Issue
Block a user