AssumeRoleWithClientGrants

The MinIO AIStor Security Token Service (STS) AssumeRoleWithClientGrants API endpoint generates temporary access credentials for applications authenticated through an OAuth 2.0 client credentials grant issued by a configured OpenID Connect Identity Provider (IDP), such as Keycloak or Okta. This page documents the AIStor Server AssumeRoleWithClientGrants endpoint. For instructions on implementing STS using an S3-compatible SDK, refer to the documentation for that SDK.

Calling AssumeRoleWithClientGrants does not require AIStor Server credentials. The identity of the caller is validated using a JWT access token obtained from the identity provider, so client applications can request temporary credentials without embedding AIStor Server credentials.

The MinIO AIStor STS AssumeRoleWithClientGrants API endpoint shares certain request/response elements with the AWS AssumeRoleWithWebIdentity endpoint. This page documents the AIStor-specific syntax and links out to the AWS reference for all shared elements.

Request endpoint

The AssumeRoleWithClientGrants endpoint has the following form:

POST https://aistor.example.net?Action=AssumeRoleWithClientGrants[&ARGS]

The following example uses all supported arguments. Replace the aistor.example.net hostname with the appropriate URL for your AIStor Server:

POST https://aistor.example.net?Action=AssumeRoleWithClientGrants
&Token=TOKEN
&Version=2011-06-15
&DurationSeconds=3600
&Policy={}

Request query parameters

This endpoint supports the following query parameters:

Parameter	Type	Description
`Token`	string	Required Specify the OAuth 2.0 access token obtained from the identity provider through a client credentials grant. The application must obtain this token before making the `AssumeRoleWithClientGrants` call. - The minimum string length is `4`. - The maximum string length is `2048`.
`Version`	string	Required Specify `2011-06-15`.
`DurationSeconds`	integer	Optional Specify the number of seconds after which the temporary credentials expire. Defaults to `3600`. - The minimum value is `900` or 15 minutes. - The maximum value is `31536000` or 365 days. If `DurationSeconds` is omitted, AIStor derives the expiry from the `Token` instead of using the default duration.
`Policy`	string	Optional Specify the URL-encoded JSON-formatted policy to use as an inline session policy. - The minimum string length is `1`. - The maximum string length is `2048`. The resulting permissions for the temporary credentials are the intersection between the policy associated with the assumed identity and the specified inline policy. The inline policy cannot grant more permissions than those already allowed. Omit to use only the policy associated with the assumed identity.

Response elements

The XML response for this API endpoint is similar to the AWS AssumeRoleWithWebIdentity response. Specifically, MinIO AIStor returns an AssumeRoleWithClientGrantsResult object, where the Credentials object contains the temporary credentials generated by MinIO AIStor:

AccessKeyId - The access key applications use for authentication.
SecretAccessKey - The secret key applications use for authentication.
Expiration - The ISO-8601 date-time after which the credentials expire.
SessionToken - The session token applications use for authentication. Some SDKs may require this field when using temporary credentials.

The following example is similar to the response returned by the MinIO AIStor STS AssumeRoleWithClientGrants endpoint:

<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithClientGrantsResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <AssumeRoleWithClientGrantsResult>
    <AssumedRoleUser>
      <Arn/>
      <AssumeRoleId/>
    </AssumedRoleUser>
    <Credentials>
      <AccessKeyId>Y4RJU1RNFGK48LGO9I2S</AccessKeyId>
      <SecretAccessKey>sYLRKS1Z7hSjluf6gEbb9066hnx315wHTiACPAjg</SecretAccessKey>
      <Expiration>2019-08-08T20:26:12Z</Expiration>
      <SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJZNFJKVTFSTkZHSzQ4TEdPOUkyUyIsImF1ZCI6IlBvRWdYUDZ1Vk80NUlzRU5SbmdEWGo1QXU1WWEiLCJhenAiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiZXhwIjoxNTQxODExMDcxLCJpYXQiOjE1NDE4MDc0NzEsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIiwianRpIjoiYTBiMjc2MjktZWUxYS00M2JmLTg3MzktZjMzNzRhNGNkYmMwIn0.ewHqKVFTaP-j_kgZrcOEKroNUjk10GEp8bqQjxBbYVovV0nHO985VnRESFbcT6XMDDKHZiWqN2vi_ETX_u3Q-w</SessionToken>
    </Credentials>
  </AssumeRoleWithClientGrantsResult>
  <ResponseMetadata/>
</AssumeRoleWithClientGrantsResponse>

Error elements

The XML error response for this API endpoint is similar to the AWS AssumeRoleWithWebIdentity response.