- Login using Fusionauth and get the JWT from that. Note - the User needs to have a registration to the Application
CDN
in fusionauth for this. - Get the bucket temp crendentials using following API. Update
<<JWT Token>>
with the token you got from step 1;<<Bucket Name>>
needs to be added prior and you can ask your admin to do this for you.<<Token Duration>>
is in seconds - try to keep an upper limit by the limit of JWT.
var requestOptions = {
method: 'POST',
redirect: 'follow'
};
fetch("https://cdn.samagra.io/minio/<<Bucket Name>>/?Action=AssumeRoleWithWebIdentity&DurationSeconds=<<Token Duration>>&WebIdentityToken=<<JWT Token>>&Version=2011-06-15", requestOptions)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
- You will get a respose similar to this from the above API call.
<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleWithWebIdentityResult>
<AssumedRoleUser>
<Arn></Arn>
<AssumeRoleId></AssumeRoleId>
</AssumedRoleUser>
<Credentials>
<AccessKeyId>Bla Bla Access Key</AccessKeyId>
<SecretAccessKey>Bla Bla Secret Key</SecretAccessKey>
<Expiration>2021-03-17T16:12:26Z</Expiration>
<SessionToken>Bla Bla Session Token</SessionToken>
</Credentials>
<SubjectFromWebIdentityToken>11803383-f1a5-4b7f-ba4e-b2693f3aec33</SubjectFromWebIdentityToken>
</AssumeRoleWithWebIdentityResult>
<ResponseMetadata>
<RequestId>166D2A31C74CB99A</RequestId>
</ResponseMetadata>
</AssumeRoleWithWebIdentityResponse>
- Take the following elements out -
<AccessKeyId>
and<SecretAccessKey>
. Now you can use the minio client like this.
var Minio = require('minio')
var minioClient = new Minio.Client({
endPoint: 'play.min.io',
port: 9000,
useSSL: true,
accessKey: 'Q3AM3UQ867SPQQA43P2F',
secretKey: 'zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG'
sessionToken: 'JWT Session Token'
});
- The
<<Token Duration>>
needs to be really small to disallow misuse. - The
<AssumedRoleUser>
is currently not moderated and needs to be handled better either on the CDN front or on the frontend.
Assuming e-samwad
is the bucket name and esamwad
is the policy name
- Create a file called
only-esamwad.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*e-samwad*"
],
"Sid": "BucketAccessForUser"
}
]
}
- Add the policy to the minio using
mc
client
./mc admin policy add local2 esamwad policies/only-esamwad.txt
- Add the same policy
esamwad
as part of the JWT token that you are creating. The parsed JWT will look something like this.
{
"accessKey": "N2LC01DVGB84AT8BM6V5",
"applicationId": "2011a6c9-7fb7-4306-8c6d-c96cb07c7859",
"aud": "2011a6c9-7fb7-4306-8c6d-c96cb07c7859",
"authenticationType": "PASSWORD",
"email": "abc@xyz.com",
"email_verified": true,
"exp": "1633434988",
"iat": 1633431388,
"iss": "acme.com",
"jti": "5ad8265b-6cbb-4e7e-962a-39485786e272",
"policy": "esamwad",
"preferred_username": "chakshu",
"roles": [],
"sub": "be5ae034-cea9-415d-a476-81744aba644d"
}
- To allow a folder to have anonymous download access
/mc policy set download local2/<bucket-name>/<sub-folder>/
node index.js