AssumeRole
The MinIO AIStor Security Token Service (STS) AssumeRole API endpoint generates temporary access credentials from the access key and secret key of an existing built-in user.
This page documents the AIStor Server AssumeRole endpoint.
For instructions on implementing STS using an S3-compatible SDK, refer to the documentation for that SDK.
Use AssumeRole to obtain temporary credentials scoped to a built-in user without distributing that user’s long-lived access and secret keys.
The permissions of the returned credentials are inherited from the policies attached to the built-in user.
The MinIO AIStor STS AssumeRole API endpoint is modeled after the AWS AssumeRole endpoint and shares certain request/response elements.
This page documents the AIStor-specific syntax and links out to the AWS reference for all shared elements.
Request endpoint
The AssumeRole endpoint has the following form:
POST https://aistor.example.net?Action=AssumeRole[&ARGS]
The following example uses all supported arguments.
Replace the aistor.example.net hostname with the appropriate URL for your AIStor Server:
POST https://aistor.example.net?Action=AssumeRole
&Version=2011-06-15
&DurationSeconds=3600
&Policy={}
&AUTHPARAMS
Request query parameters
This endpoint supports the following query parameters:
| Parameter | Type | Description |
|---|---|---|
Version |
string | Required Specify 2011-06-15. |
AUTHPARAMS |
string | Required Specify the AWS Signature Version 4 authorization information signed with the access key and secret key of the built-in user. See the AWS Signature Version 4 reference for more information. |
DurationSeconds |
integer | Optional Specify the number of seconds after which the temporary credentials expire. Defaults to 3600.- The minimum value is 900 or 15 minutes.- The maximum value is 31536000 or 365 days. |
Policy |
string | Optional Specify the URL-encoded JSON-formatted policy to use as an inline session policy. - The minimum string length is 1.- The maximum string length is 2048.The resulting permissions for the temporary credentials are the intersection between the policies attached to the built-in user and the specified inline policy. The inline policy cannot grant more permissions than those already allowed by the user’s assigned policies. Omit to use only the policies attached to the built-in user. |
TokenRevokeType |
string | Optional A string to assign to the generated token that allows the token’s access to be revoked prior to expiration. A user may have a maximum of 100 unique token revocation types at any time. A token revocation type can be assigned to multiple tokens. |
Response elements
The XML response for this API endpoint is similar to the AWS AssumeRole response.
Specifically, MinIO AIStor returns an AssumeRoleResult object, where the Credentials object contains the temporary credentials generated by MinIO AIStor:
AccessKeyId- The access key applications use for authentication.SecretAccessKey- The secret key applications use for authentication.Expiration- The ISO-8601 date-time after which the credentials expire.SessionToken- The session token applications use for authentication. Some SDKs may require this field when using temporary credentials.
The following example is similar to the response returned by the MinIO AIStor STS AssumeRole endpoint:
<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
<AssumedRoleUser>
<Arn/>
<AssumeRoleId/>
</AssumedRoleUser>
<Credentials>
<AccessKeyId>Y4RJU1RNFGK48LGO9I2S</AccessKeyId>
<SecretAccessKey>sYLRKS1Z7hSjluf6gEbb9066hnx315wHTiACPAjg</SecretAccessKey>
<Expiration>2019-08-08T20:26:12Z</Expiration>
<SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJZNFJKVTFSTkZHSzQ4TEdPOUkyUyIsImF1ZCI6IlBvRWdYUDZ1Vk80NUlzRU5SbmdEWGo1QXU1WWEiLCJhenAiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiZXhwIjoxNTQxODExMDcxLCJpYXQiOjE1NDE4MDc0NzEsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIiwianRpIjoiYTBiMjc2MjktZWUxYS00M2JmLTg3MzktZjMzNzRhNGNkYmMwIn0.ewHqKVFTaP-j_kgZrcOEKroNUjk10GEp8bqQjxBbYVovV0nHO985VnRESFbcT6XMDDKHZiWqN2vi_ETX_u3Q-w</SessionToken>
</Credentials>
</AssumeRoleResult>
<ResponseMetadata>
<RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
Error elements
The XML error response for this API endpoint is similar to the AWS AssumeRole response.
Example using the AWS CLI
You can test the AssumeRole endpoint using the AWS CLI sts assume-role command with the access key and secret key of a built-in user.
--role-arn and --role-session-name arguments are required by the AWS CLI but are not meaningful for MinIO AIStor.
Set them to any value that satisfies the command-line requirements.
aws --profile myuser --endpoint-url https://aistor.example.net \
sts assume-role \
--policy '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::*"}]}' \
--role-arn arn:xxx:xxx:xxx:xxxx \
--role-session-name anything
The command returns a JSON object containing the temporary AccessKeyId, SecretAccessKey, SessionToken, and Expiration.