Support templates STS roles (Cepth story) #1048
Description
Spec:
const s3 = {
URL: "https://minio.lab.sspcloud.fr",
sts: {
role: [
{
roleARN: "arn:aws:iam::123456789012:role/$1",
roleSessionName: "onyxia-personal-bucket",
claimName: "preferred_username"
},
{
roleARN: "arn:aws:iam::329456783432:role/projet-$1",
roleSessionName: "onyxia-project-bucket-$1",
claimName: "groups",
excludedClaimPattern: "^USER_ONYXIA$"
},
],
oidcConfiguration: {
clientId: "onyxia-ceph"
}
},
bookmarkedDirectories: [
{
fullPath: "$1/",
title: "Personal",
description: "Personal storage",
claimName: "preferred_username",
forStsRoleSessionName: "onyxia-personal-bucket"
},
{
fullPath: "projet-$1/",
title: "Group $1",
description: "Shared storage for project $1",
claimName: "groups",
excludedClaimPattern: "^USER_ONYXIA$",
forStsRoleSessionName: "onyxia-project-bucket-$1"
},
{
fullPath: "donnees-insee/diffusion/",
title: {
fr: "Données de diffusion",
en: "Dissemination Data"
},
description: {
fr: "Bucket public destiné à la diffusion de données",
en: "Public bucket intended for data dissemination"
},
forStsRoleSessionName: ["onyxia-personal-bucket", "onyxia-project-bucket-*"],
// OR
// forStsRoleSessionName: "*",
}
]
};
/*
Computed Profiles for Decoded ID Token:
{
"preferred_username": "garronej",
"groups": [ "USER_ONYXIA", "codegouv" ],
}
*/
const s3Profiles = [
{
URL: "https://minio.lab.sspcloud.fr",
sts: {
role: {
roleARN: "arn:aws:iam::123456789012:role/garronej",
roleSessionName: "onyxia-personal-bucket",
},
oidcConfiguration: {
clientId: "onyxia-ceph"
}
},
bookmarkedDirectories: [
{
fullPath: "garronej/",
title: "Personal",
description: "Personal storage",
},
{
fullPath: "donnees-insee/diffusion/",
title: {
fr: "Données de diffusion",
en: "Dissemination Data"
},
description: {
fr: "Bucket public destiné à la diffusion de données",
en: "Public bucket intended for data dissemination"
}
}
]
},
{
URL: "https://minio.lab.sspcloud.fr",
sts: {
role: {
roleARN: "arn:aws:iam::329456783432:role/projet-codegouv",
roleSessionName: "onyxia-project-bucket-codegouv",
},
oidcConfiguration: {
clientId: "onyxia-ceph"
}
},
bookmarkedDirectories: [
{
fullPath: "projet-codegouv/",
title: "Group codegouv",
description: "Shared storage for project codegouv",
},
{
fullPath: "donnees-insee/diffusion/",
title: {
fr: "Données de diffusion",
en: "Dissemination Data"
},
description: {
fr: "Bucket public destiné à la diffusion de données",
en: "Public bucket intended for data dissemination"
}
}
]
}
];Takeways:
- S3.sts.roles can now be an array of templates values, with the same mecanics as the bookmarkedDirectories.
- bookmarkedDirectories have an aditional optional property
forStsRoleSessionNamethat enable to map a S3 location to a certain STS role, if omitted all roles will be matched. - This is fully retro compatible, no breaking changes.