AssumeRoleWithWebIdentity
The MinIO Security Token Service (STS) AssumeRoleWithWebIdentity
API
endpoint generates temporary access credentials using a
JSON Web Token (JWT) returned from a
configured OpenID IDentity Provider (IDP). This page documents the MinIO
server AssumeRoleWithWebIdentity
endpoint. For instructions on
implementing STS using an S3-compatible SDK, defer to the documentation
for that SDK.
The MinIO STS AssumeRoleWithWebIdentity
API endpoint is modeled
after the
AWS AssumeRoleWithWebIdentity
endpoint and shares certain request/response elements. This page
documents the MinIO-specific syntax and links out to the AWS reference for
all shared elements.
Request Endpoint
The AssumeRoleWithWebIdentity
endpoint has the following form:
POST https://minio.example.net?Action=AssumeRoleWithWebIdentity[&ARGS]
The following example uses all supported arguments. Replace the
minio.example.net
hostname with the appropriate URL for your MinIO
cluster:
POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
&WebIdentityToken=TOKEN
&Version=2011-06-15
&DurationSeconds=86000
&Policy={}
Request Query Parameters
This endpoint supports the following query parameters:
Response Elements
The XML response for this API endpoint is similar to the AWS
AssumeRoleWithWebIdentity response.
Specifically, MinIO returns an AssumeRoleWithWebIdentityResult
object,
where the AssumedRoleUser.Credentials
object contains the temporary
credentials generated by MinIO:
AccessKeyId
- The access key applications use for authentication.SecretKeyId
- The secret key applications use for authentication.Expiration
- The RFC3339 date and time after which the credentials expire.SessionToken
- The session token applications use for authentication. Some SDKs may require this field when using temporary credentials.
The following example is similar to the response returned by the MinIO STS
AssumeRoleWithWebIdentity
endpoint:
<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleWithWebIdentityResult>
<AssumedRoleUser>
<Arn/>
<AssumeRoleId/>
</AssumedRoleUser>
<Credentials>
<AccessKeyId>Y4RJU1RNFGK48LGO9I2S</AccessKeyId>
<SecretAccessKey>sYLRKS1Z7hSjluf6gEbb9066hnx315wHTiACPAjg</SecretAccessKey>
<Expiration>2019-08-08T20:26:12Z</Expiration>
<SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJZNFJKVTFSTkZHSzQ4TEdPOUkyUyIsImF1ZCI6IlBvRWdYUDZ1Vk80NUlzRU5SbmdEWGo1QXU1WWEiLCJhenAiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiZXhwIjoxNTQxODExMDcxLCJpYXQiOjE1NDE4MDc0NzEsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIiwianRpIjoiYTBiMjc2MjktZWUxYS00M2JmLTg3MzktZjMzNzRhNGNkYmMwIn0.ewHqKVFTaP-j_kgZrcOEKroNUjk10GEp8bqQjxBbYVovV0nHO985VnRESFbcT6XMDDKHZiWqN2vi_ETX_u3Q-w</SessionToken>
</Credentials>
</AssumeRoleWithWebIdentityResult>
<ResponseMetadata/>
</AssumeRoleWithWebIdentityResponse>
Error Elements
The XML error response for this API endpoint is similar to the AWS AssumeRoleWithWebIdentity response.