Security Token Service

The AIStor Security Token Service (STS) APIs allow applications to generate temporary credentials for accessing the AIStor Server.

The STS API is required for AIStor Servers configured to use external identity managers, as the API allows conversion of the external IDP credentials into AWS Signature v4-compatible credentials.

STS API endpoints

AIStor supports the following STS API endpoints:

Endpoint	Supported IDP	Description
`AssumeRoleWithWebIdentity`	OpenID Connect	Generates an access key and secret key using the JWT token returned by the OIDC provider
`AssumeRoleWithLDAPIdentity`	Active Directory / LDAP	Generates an access key and secret key using the AD/LDAP credentials specified to the API endpoint.
`AssumeRoleWithCustomToken`	Identity Plugin	Generates a token for use with an external identity provider and the Identity Plugin.

The following STS API endpoints are available for AIStor Object Store RELEASE.2025-03-27T23-09-45Z or later.

Endpoint	Supported IDP	Description
`revoke-tokens/internal`	AIStor Managed STS Identities	Removes STS tokens for users managed by AIStor identity management. You can limit to certain STS tokens by specifying the `tokenRevokeType` metadata for the token(s) to delete.
`revoke-tokens/ldap`	LDAP Managed STS Identities	Removes STS tokens for users managed by by an external LDAP server. You can limit to certain STS tokens by specifying the `tokenRevokeType` metadata for the token(s) to delete.

STS settings

AIStor provides environment variables to configure STS behavior, including token duration, TLS requirements, and token revocation. See STS Settings for the complete list of configuration options.

STS security

Because of the content of requests, AWS requires that STS requests be sent over HTTPS.

Starting with RELEASE.2025-02-06T18-14-59Z, AIStor allows you to enforce STS generation and exchanges over HTTPS. To enable this, set the MINIO_STS_SECURE environment variable to on.

Token revocation

AIStor supports revoking STS tokens before their expiration. This feature requires enabling the MINIO_STS_TOKEN_REVOKE environment variable.

Token revocation invalidates tokens based on their creation time. When you revoke tokens, all matching tokens created before the revocation request become invalid. Because STS tokens are not persisted on the server, revocation works by recording the revocation time and rejecting tokens issued before that time.

Token revoke types

When creating STS tokens, you can assign a TokenRevokeType to categorize tokens for selective revocation. Add the TokenRevokeType query parameter to any AssumeRole request:

POST /?Action=AssumeRole&TokenRevokeType=my-app-1&Version=2011-06-15&AUTHPARAMS

This allows you to revoke only tokens of a specific type rather than all tokens for a user. Each user can have up to 100 unique token revoke types at a time. Token revoke type slots are freed when all tokens of that type expire.

Revocation commands

The following table summarizes token revocation capabilities by identity provider:

Identity Provider	Self-Revoke	Admin Revoke	Command Reference
Built-in	Yes	Yes	`mc admin accesskey sts-revoke`
LDAP	Yes	Yes	`mc idp ldap accesskey sts-revoke`
OpenID Connect	Yes	No	`mc admin accesskey sts-revoke` with `--self`

Admin-initiated revocation of another OpenID user’s tokens is not currently supported. OpenID users must self-revoke their tokens, or the tokens expire based on the configured MINIO_STS_DURATION.

Revocation requirements

All revocation operations require:

The MINIO_STS_TOKEN_REVOKE environment variable set to on
Either --all or --token-type TYPE specified (exactly one required)
For admin-initiated revocation: RemoveServiceAccountAdminAction permission