STS Settings

This page documents settings for configuring Security Token Service (STS) behavior in AIStor. STS provides temporary security credentials for users authenticated through external identity providers such as OpenID Connect or LDAP.

You can establish or modify these settings by defining environment variables on the host system prior to starting or restarting the AIStor Server. Refer to your operating system’s documentation for how to define an environment variable.

These settings are environment variables only and do not have corresponding mc admin config settings.

Each configuration setting controls fundamental AIStor behavior and functionality. AIStor strongly recommends testing configuration changes in a lower environment, such as DEV or QA, before applying to production.

Example 

export MINIO_STS_DURATION=3600
export MINIO_STS_SECURE=on

Settings

Duration

Optional

MINIO_STS_DURATION

The default lifetime in seconds for STS tokens issued by AIStor. This value applies when no explicit DurationSeconds parameter is provided in the STS request.

  • Valid Range: 900 (15 minutes) to 31536000 (365 days)
  • Default: 3600 (1 hour)

For example, to set the default STS token duration to 8 hours:

export MINIO_STS_DURATION=28800

Secure

Optional

MINIO_STS_SECURE

Require TLS for all STS operations. When enabled, STS endpoints only accept requests over HTTPS connections.

  • Valid Values: on, off
  • Default: off

AIStor recommends enabling this setting in production environments to ensure STS operations occur over encrypted connections.

export MINIO_STS_SECURE=on

Token Revoke

Optional

MINIO_STS_TOKEN_REVOKE

Enable the STS token revocation feature. When enabled, administrators can revoke issued STS tokens before their expiration.

  • Valid Values: on, off
  • Default: off
export MINIO_STS_TOKEN_REVOKE=on

See Token revocation for usage instructions and mc commands.

Strict Expiration

Optional

MINIO_STS_STRICT_EXPIRATION

Control how AIStor enforces STS token expiration.

  • Valid Values: on, off
  • Default: on

When enabled (default), AIStor enforces strict token expiration based on the configured duration. When disabled, JWT token expiration claims may override the minimum or maximum allowed STS duration.

Keep this setting enabled unless your authentication workflow requires JWT claim-driven expiration.

export MINIO_STS_STRICT_EXPIRATION=on

Expiration Limits

AIStor enforces the following limits on STS token expiration:

Limit Value
Minimum expiration 900 seconds (15 minutes)
Maximum expiration 31536000 seconds (365 days)

These limits apply to both the MINIO_STS_DURATION setting and the DurationSeconds parameter in STS requests.