Security Token Service
The AIStor Security Token Service (STS) APIs allow applications to generate temporary credentials for accessing the AIStor Server.
The STS API is required for AIStor Servers configured to use external identity managers, as the API allows conversion of the external IDP credentials into AWS Signature v4-compatible credentials.
STS API endpoints
AIStor supports the following STS API endpoints:
| Endpoint | Supported IDP | Description |
|---|---|---|
AssumeRoleWithWebIdentity |
OpenID Connect | Generates an access key and secret key using the JWT token returned by the OIDC provider |
AssumeRoleWithLDAPIdentity |
Active Directory / LDAP | Generates an access key and secret key using the AD/LDAP credentials specified to the API endpoint. |
AssumeRoleWithCustomToken |
Identity Plugin | Generates a token for use with an external identity provider and the Identity Plugin. |
The following STS API endpoints are available for AIStor Object Store RELEASE.2025-03-27T23-09-45Z or later.
| Endpoint | Supported IDP | Description |
|---|---|---|
revoke-tokens/internal |
AIStor Managed STS Identities | Removes STS tokens for users managed by AIStor identity management. You can limit to certain STS tokens by specifying the tokenRevokeType metadata for the token(s) to delete. |
revoke-tokens/ldap |
LDAP Managed STS Identities | Removes STS tokens for users managed by by an external LDAP server. You can limit to certain STS tokens by specifying the tokenRevokeType metadata for the token(s) to delete. |
STS security
Because of the content of requests, AWS requires that STS requests be sent over HTTPS.
Starting with RELEASE.2025-02-06T18-14-59Z, AIStor allows you to enforce STS generation and exchanges over HTTPS.
To enable this, set the MINIO_STS_SECURE environment variable to true.