mirror of
https://github.com/minio/minio.git
synced 2024-12-26 15:15:55 -05:00
464b9d7c80
- Adds an STS API `AssumeRoleWithCustomToken` that can be used to authenticate via the Id. Mgmt. Plugin. - Adds a sample identity manager plugin implementation - Add doc for plugin and STS API - Add an example program using go SDK for AssumeRoleWithCustomToken
54 lines
3.0 KiB
Markdown
54 lines
3.0 KiB
Markdown
# AssumeRoleWithCustomToken [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
|
|
|
|
## Introduction
|
|
|
|
To integrate with custom authentication methods using the [Identity Management Plugin](../iam/identity-management-plugin.md)), MinIO provides an STS API extension called `AssumeRoleWithCustomToken`.
|
|
|
|
After configuring the plugin, use the generated Role ARN with `AssumeRoleWithCustomToken` to get temporary credentials to access object storage.
|
|
|
|
## API Request
|
|
|
|
To make an STS API request with this method, send a POST request to the MinIO endpoint with following query parameters:
|
|
|
|
| Parameter | Type | Required | |
|
|
|-----------------|---------|----------|----------------------------------------------------------------------|
|
|
| Action | String | Yes | Value must be `AssumeRoleWithCustomToken` |
|
|
| Version | String | Yes | Value must be `2011-06-15` |
|
|
| Token | String | Yes | Token to be authenticated by identity plugin |
|
|
| RoleArn | String | Yes | Must match the Role ARN generated for the identity plugin |
|
|
| DurationSeconds | Integer | No | Duration of validity of generated credentials. Must be at least 900. |
|
|
|
|
The validity duration of the generated STS credentials is the minimum of the `DurationSeconds` parameter (if passed) and the validity duration returned by the Identity Management Plugin.
|
|
|
|
## API Response
|
|
|
|
XML response for this API is similar to [AWS STS AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_ResponseElements)
|
|
|
|
## Example request and response
|
|
|
|
Sample request with `curl`:
|
|
|
|
```sh
|
|
curl -XPOST 'http://localhost:9001/?Action=AssumeRoleWithCustomToken&Version=2011-06-15&Token=aaa&RoleArn=arn:minio:iam:::role/idmp-vGxBdLkOc8mQPU1-UQbBh-yWWVQ'
|
|
```
|
|
|
|
Prettified Response:
|
|
|
|
```xml
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<AssumeRoleWithCustomTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
|
|
<AssumeRoleWithCustomTokenResult>
|
|
<Credentials>
|
|
<AccessKeyId>24Y5H9VHE14H47GEOKCX</AccessKeyId>
|
|
<SecretAccessKey>H+aBfQ9B1AeWWb++84hvp4tlFBo9aP+hUTdLFIeg</SecretAccessKey>
|
|
<Expiration>2022-05-25T19:56:34Z</Expiration>
|
|
<SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiIyNFk1SDlWSEUxNEg0N0dFT0tDWCIsImV4cCI6MTY1MzUwODU5NCwiZ3JvdXBzIjpbImRhdGEtc2NpZW5jZSJdLCJwYXJlbnQiOiJjdXN0b206QWxpY2UiLCJyb2xlQXJuIjoiYXJuOm1pbmlvOmlhbTo6OnJvbGUvaWRtcC14eHgiLCJzdWIiOiJjdXN0b206QWxpY2UifQ.1tO1LmlUNXiy-wl-ZbkJLWTpaPlhaGqHehsi21lNAmAGCImHHsPb-GA4lRq6GkvHAODN5ZYCf_S-OwpOOdxFwA</SessionToken>
|
|
</Credentials>
|
|
<AssumedUser>custom:Alice</AssumedUser>
|
|
</AssumeRoleWithCustomTokenResult>
|
|
<ResponseMetadata>
|
|
<RequestId>16F26E081E36DE63</RequestId>
|
|
</ResponseMetadata>
|
|
</AssumeRoleWithCustomTokenResponse>
|
|
```
|