History

Harshavardhana c9940d8c3f Final changes to config sub-system (#8600 ) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review		2019-12-04 15:32:37 -08:00
..
assume-role.md	Honor DurationSeconds properly for WebIdentity (#8581 )	2019-11-29 18:57:54 +05:30
client-grants.go	Fix LDAP responseXML to be named appropriately (#8285 )	2019-09-24 03:51:16 +05:30
client-grants.md	Final changes to config sub-system (#8600 )	2019-12-04 15:32:37 -08:00
docker-compose.yml	Fix OPA result response handling (#7763 )	2019-06-10 17:06:32 -07:00
etcd.md	Replace Minio refs in docs with MinIO and links (#7494 )	2019-04-09 11:39:42 -07:00
keycloak.md	Add client_id support for OpenID (#8579 )	2019-11-29 21:37:42 -08:00
ldap.go	Fix LDAP responseXML to be named appropriately (#8285 )	2019-09-24 03:51:16 +05:30
ldap.md	Final changes to config sub-system (#8600 )	2019-12-04 15:32:37 -08:00
opa.md	Migrate config to KV data format (#8392 )	2019-10-22 22:59:13 -07:00
putobject.rego	Fix OPA result response handling (#7763 )	2019-06-10 17:06:32 -07:00
README.md	Final changes to config sub-system (#8600 )	2019-12-04 15:32:37 -08:00
sts.env	Migrate config to KV data format (#8392 )	2019-10-22 22:59:13 -07:00
web-identity.go	Add client_id support for OpenID (#8579 )	2019-11-29 21:37:42 -08:00
web-identity.md	Final changes to config sub-system (#8600 )	2019-12-04 15:32:37 -08:00
wso2.md	Final changes to config sub-system (#8600 )	2019-12-04 15:32:37 -08:00

README.md

MinIO STS Quickstart Guide

The MinIO Security Token Service (STS) is an endpoint service that enables clients to request temporary credentials for MinIO resources. Temporary credentials work almost identically to default admin credentials, with some differences:

Temporary credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, MinIO no longer recognizes them or allows any kind of access from API requests made with them.
Temporary credentials do not need to be stored with the application but are generated dynamically and provided to the application when requested. When (or even before) the temporary credentials expire, the application can request new credentials.

Following are advantages for using temporary credentials:

Eliminates the need to embed long-term credentials with an application.
Eliminates the need to provide access to buckets and objects without having to define static credentials.
Temporary credentials have a limited lifetime, there is no need to rotate them or explicitly revoke them. Expired temporary credentials cannot be reused.

Identity Federation

AuthN	Description
Client grants	Let applications request `client_grants` using any well-known third party identity provider such as KeyCloak, WSO2. This is known as the client grants approach to temporary access. Using this approach helps clients keep MinIO credentials to be secured. MinIO STS supports client grants, tested against identity providers such as WSO2, KeyCloak.
WebIdentity	Let users request temporary credentials using any OpenID(OIDC) compatible web identity providers such as Facebook, Google etc.
AssumeRole	Let MinIO users request temporary credentials using user access and secret keys.
AD/LDAP	Let AD/LDAP users request temporary credentials using AD/LDAP username and password.

Get started

In this document we will explain in detail on how to configure all the prerequisites.

NOTE: If you are interested in AssumeRole API only, skip to here

1. Prerequisites

2. Setup MinIO with WSO2

Make sure we have followed the previous step and configured each software independently, once done we can now proceed to use MinIO STS API and MinIO server to use these credentials to perform object API operations.

export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
minio server /mnt/data

3. Setup MinIO Gateway with WSO2, ETCD

Make sure we have followed the previous step and configured each software independently, once done we can now proceed to use MinIO STS API and MinIO gateway to use these credentials to perform object API operations.

NOTE: MinIO gateway requires etcd to be configured to use STS API.

export MINIO_ACCESS_KEY=aws_access_key
export MINIO_SECRET_KEY=aws_secret_key
export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
export MINIO_ETCD_ENDPOINTS=http://localhost:2379
minio gateway s3

4. Test using client-grants.go

On another terminal run client-grants.go a sample client application which obtains JWT access tokens from an identity provider, in our case its WSO2. Uses the returned access token response to get new temporary credentials from the MinIO server using the STS API call AssumeRoleWithClientGrants.

go run client-grants.go -cid PoEgXP6uVO45IsENRngDXj5Au5Ya -csec eKsw6z8CtOJVBtrOWvhRWL4TUCga

##### Credentials
{
	"accessKey": "NUIBORZYTV2HG2BMRSXR",
	"secretKey": "qQlP5O7CFPc5m5IXf1vYhuVTFj7BRVJqh0FqZ86S",
	"expiration": "2018-08-21T17:10:29-07:00",
	"sessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJOVUlCT1JaWVRWMkhHMkJNUlNYUiIsImF1ZCI6IlBvRWdYUDZ1Vk80NUlzRU5SbmdEWGo1QXU1WWEiLCJhenAiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiZXhwIjoxNTM0ODk2NjI5LCJpYXQiOjE1MzQ4OTMwMjksImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIiwianRpIjoiNjY2OTZjZTctN2U1Ny00ZjU5LWI0MWQtM2E1YTMzZGZiNjA4In0.eJONnVaSVHypiXKEARSMnSKgr-2mlC2Sr4fEGJitLcJF_at3LeNdTHv0_oHsv6ZZA3zueVGgFlVXMlREgr9LXA"
}