Mc: [Proposal] Support STS based access to MinIO

Created on 14 Sep 2019 · 5Comments · Source: minio/mc

To access MinIO via the STS API, we can add a command to mc such as:

mc sts ENDPOINT <sts-type> <sts-specific-args>

to print out access key, secret key and session token.

For example for LDAP, this could be:

mc sts ENDPOINT ldap ldapuser=myusername ldappasswd=yyy

In addition to this, we can add a mode to mc to fetch and configure MinIO/S3 aliases with STS APIs.

For example, with mc config sts ldap add ALIAS URL ldapuser=xx ldappasswd=yy,
fetches temporary credentials via STS from the MinIO server and then configures the alias to use the returned access credentials. Now the user can make use of other mc commands to access the MinIO server.

medium stale

Source

donatello

👍2

All 5 comments

What we decided to implement was to come up with this style

mc sts ldap myminio ldap_url= ldapuser= ldappassword=
mc sts assume-role myminio username= password=
mc sts client-grants myminio client_url= client_id= client_secret=
mc sts web-identity myminio web_identity_url= (this will throw a login page by opening browser)

Now this will output "accessKey, secretKey, sessionToken" in json form with --json flag or prints the environment variables users need to set to start using the session tokens such as with aws sdks

AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN

The same tokens to be used by mc we don't need to add it in config by doing mc config host add but just tell users to leverage the environment variable.

export MC_HOST_mytemp=http://${accessKey}:${secretKey}@${url}/
export MC_HOST_SESSION_TOKEN_mytemp=${sessionToken}
mc ls mytemp

harshavardhana on 18 Sep 2019

👍1

https://github.com/minio/minio/pull/8501 web-identity example is updated @balamurugana

harshavardhana on 10 Nov 2019

Here is the proposed CLI changes @balamurugana

mc sts ldap myminio ldap_username="bala" ldap_password="bala123"
mc sts assume-role myminio username="foo123" password="foo12345"
mc sts client-grants myminio token_endpoint= client_id= client_secret=

Each of these examples is already present in the

client-grants https://github.com/minio/minio/blob/master/docs/sts/client-grants.go
LDAP https://github.com/minio/minio/blob/master/docs/sts/ldap.go
https://github.com/minio/minio/blob/master/docs/sts/assume-role.md#testing (NOTE: minio-go doesn't support AssumeRole credential provider yet but can be easily written)

web-identity is currently deferred to the future because it would require interactive WebUI and Browser so perhaps it is not needed at the moment.

and use the mc envs to make this work

export MC_HOST_mytemp=http://${accessKey}:${secretKey}@${url}/
export MC_HOST_SESSION_TOKEN_mytemp=${sessionToken}
mc ls mytemp

This is perhaps examples which is provided by the mc CLI

harshavardhana on 10 Nov 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.