To access MinIO via the STS API, we can add a command to mc such as:
mc sts ENDPOINT <sts-type> <sts-specific-args>
to print out access key, secret key and session token.
For example for LDAP, this could be:
mc sts ENDPOINT ldap ldapuser=myusername ldappasswd=yyy
In addition to this, we can add a mode to mc to fetch and configure MinIO/S3 aliases with STS APIs.
For example, with mc config sts ldap add ALIAS URL ldapuser=xx ldappasswd=yy
,
fetches temporary credentials via STS from the MinIO server and then configures the alias to use the returned access credentials. Now the user can make use of other mc commands to access the MinIO server.
What we decided to implement was to come up with this style
mc sts ldap myminio ldap_url= ldapuser= ldappassword=
mc sts assume-role myminio username= password=
mc sts client-grants myminio client_url= client_id= client_secret=
mc sts web-identity myminio web_identity_url= (this will throw a login page by opening browser)
Now this will output "accessKey, secretKey, sessionToken" in json form with --json flag or prints the environment variables users need to set to start using the session tokens such as with aws sdks
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
The same tokens to be used by mc
we don't need to add it in config
by doing mc config host add
but just tell users to leverage the environment variable.
export MC_HOST_mytemp=http://${accessKey}:${secretKey}@${url}/
export MC_HOST_SESSION_TOKEN_mytemp=${sessionToken}
mc ls mytemp
https://github.com/minio/minio/pull/8501 web-identity example is updated @balamurugana
Here is the proposed CLI changes @balamurugana
mc sts ldap myminio ldap_username="bala" ldap_password="bala123"
mc sts assume-role myminio username="foo123" password="foo12345"
mc sts client-grants myminio token_endpoint= client_id= client_secret=
Each of these examples is already present in the
web-identity is currently deferred to the future because it would require interactive WebUI and Browser so perhaps it is not needed at the moment.
and use the mc
envs to make this work
export MC_HOST_mytemp=http://${accessKey}:${secretKey}@${url}/
export MC_HOST_SESSION_TOKEN_mytemp=${sessionToken}
mc ls mytemp
This is perhaps examples which is provided by the mc
CLI
This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.
we will not be supporting this in mc