mirror of
https://github.com/minio/minio.git
synced 2025-11-21 10:16:03 -05:00
b44b2a090c
RoleARN is a required parameter in AssumeRoleWithWebIdentity, according to the standard AWS implementation, and the official AWS SDKs and CLI will not allow you to assume a role from a JWT without also specifying a RoleARN. This meant that it was not possible to use the official SDKs for claim-based OIDC with Minio (minio/minio#21421), since Minio required you to _omit_ the RoleARN in this case. minio/minio#21468 attempted to fix this by disabling the validation of the RoleARN when a claim-based provider was configured, but this had the side effect of making it impossible to have a mixture of claim-based and role-based OIDC providers configured at the same time - every authentication would be treated as claim-based, ignoring the RoleARN entirely. This is an alternative fix, whereby: - _if_ the `RoleARN` is one that Minio knows about, then use the associated role policy - if the `RoleARN` is not recognised, but there is a claim-based provider configured, then ignore the role ARN and attempt authentication with the claim-based provider - if the `RoleARN` is not recognised, and there is _no_ claim-based provider, then return an error.
37 KiB
37 KiB