mc idp openid accesskey create-with-login

The mc idp openid accesskey create-with-login command uses a browser-based login flow to authenticate with an OpenID Connect provider and generate access keys for use with AIStor.

The command starts a local HTTP server, opens the OpenID authentication URL in your browser, and waits for the authentication callback. After successful authentication, it creates access keys using the policies associated with the authenticated OIDC user. For details, see the authentication flow section.

mc idp openid accesskey create-with-login https://myaistor.example.net/

mc [GLOBALFLAGS] idp openid accesskey create-with-login  \
                                 URL                     \
                                 [CONFIG]                \
                                 [--access-key <value>]  \
                                 [--secret-key <value>]  \
                                 [--policy <value>]      \
                                 [--name <value>]        \
                                 [--description <value>] \
                                 [--expiry <value>]      \
                                 [--expiry-duration <value>] \
                                 [--sts-only]

Required

The FQDN or IP address of an AIStor deployment configured for OpenID integration.

For example:

mc idp openid accesskey create-with-login https://myaistor.example.net

Optional

The name of the OpenID configuration to use for authentication.

If not specified, the command uses the default OpenID configuration.

For example, to use an OpenID configuration named myoidc:

mc idp openid accesskey create-with-login https://myaistor.example.net myoidc

Optional

The access key to use once successfully authenticated. Omit to let AIStor randomly generate a value.

The access key cannot contain the characters = (equal sign) or , (comma).

Requires --secret-key

Optional

A secret key to use once successfully authenticated. Omit to let AIStor randomly generate a value.

Requires --access-key

Optional

File path to the JSON-formatted policy to use for the account. This policy cannot grant additional privileges beyond the privileges associated with the authenticated OIDC user.

Omit to grant the same access as the OIDC user used to authenticate.

Optional

A human-readable name to use for the created access key.

Optional

Create a description for the service account. For example, you might specify the reason the access key exists.

Optional

Length of time the access key pair should remain valid for use in #d#h#s format.

For example, 7d, 24h, 5d12h30s are valid strings.

Mutually exclusive with --expiry.

Optional

The future date and time when the access key expires. The access key becomes invalid at the start of the specified date and time (midnight if no time is specified).

Supported formats:

Dates without a timezone use the local timezone of the machine running the command. Use RFC3339 format with Z suffix or timezone offset for explicit UTC times.

Mutually exclusive with --expiry-duration.

Optional

Return only temporary STS credentials without creating a new permanent access key.

When specified, the command outputs the STS access key, secret key, and session token received from the OpenID authentication. These credentials are temporary and expire according to the MINIO_STS_DURATION environment variable on the server, which defaults to 1 hour (3600 seconds).

This command supports any of the global flags.

The following command opens a browser for OpenID authentication and creates a new access key pair using the authenticated user’s policies:

mc idp openid accesskey create-with-login https://myaistor.example.net

The following command authenticates using an OpenID configuration named myoidc:

mc idp openid accesskey create-with-login https://myaistor.example.net myoidc

The following command returns temporary STS credentials without creating a permanent access key:

mc idp openid accesskey create-with-login https://myaistor.example.net --sts-only

The following command creates an access key pair that expires after 24 hours:

mc idp openid accesskey create-with-login https://myaistor.example.net --expiry-duration 24h

The command performs the following steps:

1. Starts a local HTTP server to receive the authentication callback.
2. Requests the OpenID login URL from the AIStor server.
3. Displays the login URL for you to open in a browser.
4. Waits for you to complete authentication with the OpenID provider.
5. Receives the authentication callback with STS credentials.
6. Creates a permanent access key using the STS credentials (unless --sts-only is specified).

The authentication process has a 5-minute timeout. If you do not complete authentication within this time, the command exits with an error.

The local callback server uses HTTP rather than HTTPS. This is secure because the server only accepts connections from localhost and the callback payload is cryptographically signed.

The mc command-line tool is built for compatibility with the AWS S3 API and is tested with AIStor and AWS S3 for expected functionality and behavior.

MinIO provides no guarantees for other S3-compatible services, as their S3 API implementation is unknown and therefore unsupported.

While mc commands may work as documented, any such usage is at your own risk.