ContextQMD
Back to Minio

AssumeRoleWithCustomToken

docs/sts/custom-token-identity.md

latest3.0 KB
Original Source

AssumeRoleWithCustomToken

Introduction

To integrate with custom authentication methods using the Identity Management Plugin), MinIO provides an STS API extension called AssumeRoleWithCustomToken.

After configuring the plugin, use the generated Role ARN with AssumeRoleWithCustomToken to get temporary credentials to access object storage.

API Request

To make an STS API request with this method, send a POST request to the MinIO endpoint with following query parameters:

ParameterTypeRequired
ActionStringYesValue must be AssumeRoleWithCustomToken
VersionStringYesValue must be 2011-06-15
TokenStringYesToken to be authenticated by identity plugin
RoleArnStringYesMust match the Role ARN generated for the identity plugin
DurationSecondsIntegerNoDuration of validity of generated credentials. Must be at least 900.

The validity duration of the generated STS credentials is the minimum of the DurationSeconds parameter (if passed) and the validity duration returned by the Identity Management Plugin.

API Response

XML response for this API is similar to AWS STS AssumeRoleWithWebIdentity

Example request and response

Sample request with curl:

sh
curl -XPOST 'http://localhost:9001/?Action=AssumeRoleWithCustomToken&Version=2011-06-15&Token=aaa&RoleArn=arn:minio:iam:::role/idmp-vGxBdLkOc8mQPU1-UQbBh-yWWVQ'

Prettified Response:

xml
<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithCustomTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <AssumeRoleWithCustomTokenResult>
    <Credentials>
      <AccessKeyId>24Y5H9VHE14H47GEOKCX</AccessKeyId>
      <SecretAccessKey>H+aBfQ9B1AeWWb++84hvp4tlFBo9aP+hUTdLFIeg</SecretAccessKey>
      <Expiration>2022-05-25T19:56:34Z</Expiration>
      <SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiIyNFk1SDlWSEUxNEg0N0dFT0tDWCIsImV4cCI6MTY1MzUwODU5NCwiZ3JvdXBzIjpbImRhdGEtc2NpZW5jZSJdLCJwYXJlbnQiOiJjdXN0b206QWxpY2UiLCJyb2xlQXJuIjoiYXJuOm1pbmlvOmlhbTo6OnJvbGUvaWRtcC14eHgiLCJzdWIiOiJjdXN0b206QWxpY2UifQ.1tO1LmlUNXiy-wl-ZbkJLWTpaPlhaGqHehsi21lNAmAGCImHHsPb-GA4lRq6GkvHAODN5ZYCf_S-OwpOOdxFwA</SessionToken>
    </Credentials>
    <AssumedUser>custom:Alice</AssumedUser>
  </AssumeRoleWithCustomTokenResult>
  <ResponseMetadata>
    <RequestId>16F26E081E36DE63</RequestId>
  </ResponseMetadata>
</AssumeRoleWithCustomTokenResponse>