STS Settings

This page documents settings for configuring Security Token Service (STS) behavior in MinIO AIStor. STS provides temporary security credentials for users authenticated through external identity providers such as OpenID Connect or LDAP.

You can establish or modify these settings by defining environment variables on the host system prior to starting or restarting the AIStor Server. Refer to your operating system’s documentation for how to define an environment variable.

These settings are environment variables only and do not have corresponding mc admin config settings.

Each configuration setting controls fundamental MinIO AIStor behavior and functionality. MinIO AIStor strongly recommends testing configuration changes in a lower environment, such as DEV or QA, before applying to production.

Example 

export MINIO_STS_DURATION=1h
export MINIO_STS_SECURE=on
export MINIO_STS_RATE_LIMIT_PER_IP=10
export MINIO_STS_RATE_LIMIT_PER_LDAP_USER=5
export MINIO_STS_RATE_LIMIT_GLOBAL=50

Settings

Duration

Optional

MINIO_STS_DURATION

The default lifetime for STS tokens issued by MinIO AIStor. Specify as a Go duration string such as 1h, 30m, 24h, or 1h30m. This value applies when no explicit DurationSeconds parameter is provided in the STS request.

  • Valid Range: 15m (15 minutes) to 8760h (365 days)
  • Default: 1h (1 hour)

For example, to set the default STS token duration to 8 hours:

export MINIO_STS_DURATION=8h

To set the default STS token duration to 24 hours:

export MINIO_STS_DURATION=24h

Secure

Optional

MINIO_STS_SECURE

Require TLS for all STS operations. When enabled, STS endpoints only accept requests over HTTPS connections.

  • Valid Values: on, off
  • Default: off

MinIO AIStor recommends enabling this setting in production environments to ensure STS operations occur over encrypted connections.

export MINIO_STS_SECURE=on

Token Revoke

Optional

MINIO_STS_TOKEN_REVOKE

Enable the STS token revocation feature. When enabled, administrators can revoke issued STS tokens before their expiration.

  • Valid Values: on, off
  • Default: off
export MINIO_STS_TOKEN_REVOKE=on

See Token revocation for usage instructions and mc commands.

Strict Expiration

Optional

MINIO_STS_STRICT_EXPIRATION

Control how MinIO AIStor enforces STS token expiration.

  • Valid Values: on, off
  • Default: on

When enabled (default), MinIO AIStor enforces strict token expiration based on the configured duration. When disabled, JWT token expiration claims may override the minimum or maximum allowed STS duration.

Keep this setting enabled unless your authentication workflow requires JWT claim-driven expiration.

export MINIO_STS_STRICT_EXPIRATION=on

Rate Limiting

MinIO AIStor supports rate limiting STS endpoints to protect upstream identity providers from overload and prevent brute-force authentication attacks.

Rate Limit Per IP

Optional

MINIO_STS_RATE_LIMIT_PER_IP

The maximum number of STS requests per second allowed from a single source IP address on each node. This prevents a single source from flooding the STS endpoint, which could cascade to upstream identity provider lockout.

  • Valid Values: Non-negative integer (requests per second)
  • Default: 10
  • Special Value: 0 disables per-IP rate limiting
export MINIO_STS_RATE_LIMIT_PER_IP=10

Rate Limit Per LDAP User

Optional

MINIO_STS_RATE_LIMIT_PER_LDAP_USER

The maximum number of STS requests per second allowed for a specific LDAP user on each node. This prevents distributed attackers (many IPs) from locking out a specific LDAP user account by rate limiting based on the target username.

This setting applies only to LDAP-based STS authentication. LDAP is the only STS method where the username is sent as a plaintext parameter. Other methods (WebIdentity, ClientGrants, Certificate) use JWTs or certificates where brute-force is not a practical concern.

  • Valid Values: Non-negative integer (requests per second)
  • Default: 5
  • Special Value: 0 disables per-LDAP-user rate limiting
export MINIO_STS_RATE_LIMIT_PER_LDAP_USER=5

Rate Limit Global

Optional

MINIO_STS_RATE_LIMIT_GLOBAL

The maximum number of total STS requests per second allowed on each node, across all IPs and users. This sets a ceiling on total STS authentication throughput per node, protecting upstream identity providers from overload.

  • Valid Values: Non-negative integer (requests per second)
  • Default: 50
  • Special Value: 0 disables global rate limiting
export MINIO_STS_RATE_LIMIT_GLOBAL=50

Expiration Limits

MinIO AIStor enforces the following limits on STS token expiration:

Limit Value
Minimum expiration 15m (15 minutes)
Maximum expiration 8760h (365 days)

These limits apply to both the MINIO_STS_DURATION setting and the DurationSeconds parameter in STS requests.