MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2024-12-25 22:55:54 -05:00
Code Issues Packages Projects Releases Wiki Activity
4892a766a8
minio/docs/sts/custom-token-identity.md
Aditya Manthramurthy 464b9d7c80
Add support for Identity Management Plugin (#14913) 
- Adds an STS API `AssumeRoleWithCustomToken` that can be used to 
  authenticate via the Id. Mgmt. Plugin.
- Adds a sample identity manager plugin implementation
- Add doc for plugin and STS API
- Add an example program using go SDK for AssumeRoleWithCustomToken
2022-05-26 17:58:09 -07:00

3.0 KiB
Raw Blame History

AssumeRoleWithCustomToken Slack

Introduction

To integrate with custom authentication methods using the Identity Management Plugin), MinIO provides an STS API extension called AssumeRoleWithCustomToken.

After configuring the plugin, use the generated Role ARN with AssumeRoleWithCustomToken to get temporary credentials to access object storage.

API Request

To make an STS API request with this method, send a POST request to the MinIO endpoint with following query parameters:

Parameter Type Required
Action String Yes Value must be AssumeRoleWithCustomToken
Version String Yes Value must be 2011-06-15
Token String Yes Token to be authenticated by identity plugin
RoleArn String Yes Must match the Role ARN generated for the identity plugin
DurationSeconds Integer No Duration of validity of generated credentials. Must be at least 900.

The validity duration of the generated STS credentials is the minimum of the DurationSeconds parameter (if passed) and the validity duration returned by the Identity Management Plugin.

API Response

XML response for this API is similar to AWS STS AssumeRoleWithWebIdentity

Example request and response

Sample request with curl:

curl -XPOST 'http://localhost:9001/?Action=AssumeRoleWithCustomToken&Version=2011-06-15&Token=aaa&RoleArn=arn:minio:iam:::role/idmp-vGxBdLkOc8mQPU1-UQbBh-yWWVQ'

Prettified Response:

<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithCustomTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <AssumeRoleWithCustomTokenResult>
    <Credentials>
      <AccessKeyId>24Y5H9VHE14H47GEOKCX</AccessKeyId>
      <SecretAccessKey>H+aBfQ9B1AeWWb++84hvp4tlFBo9aP+hUTdLFIeg</SecretAccessKey>
      <Expiration>2022-05-25T19:56:34Z</Expiration>
      <SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiIyNFk1SDlWSEUxNEg0N0dFT0tDWCIsImV4cCI6MTY1MzUwODU5NCwiZ3JvdXBzIjpbImRhdGEtc2NpZW5jZSJdLCJwYXJlbnQiOiJjdXN0b206QWxpY2UiLCJyb2xlQXJuIjoiYXJuOm1pbmlvOmlhbTo6OnJvbGUvaWRtcC14eHgiLCJzdWIiOiJjdXN0b206QWxpY2UifQ.1tO1LmlUNXiy-wl-ZbkJLWTpaPlhaGqHehsi21lNAmAGCImHHsPb-GA4lRq6GkvHAODN5ZYCf_S-OwpOOdxFwA</SessionToken>
    </Credentials>
    <AssumedUser>custom:Alice</AssumedUser>
  </AssumeRoleWithCustomTokenResult>
  <ResponseMetadata>
    <RequestId>16F26E081E36DE63</RequestId>
  </ResponseMetadata>
</AssumeRoleWithCustomTokenResponse>