-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support sts and static credentials to work together #4762
Comments
@harshavardhana do You think that it is possible to implement this feature soon? |
Yeah it's minor stuff. |
cool! That's awesome. So in Your opinion, You will be able to implement it and if yes, what is the approximately date of the feature? It is very urgent for our daily basis. Just for confirmation, I would like to setup MC_HOST_s3 based on IAM roles. Usually I should be able to retrieve the temporary ACCESS/SECRET/TOKEN values using AWS CLI but it is not available on minio image or mc. |
fixed in #4763 |
@harshavardhana can You explain me how we can setup the MC_HOST_s3 now? Ho to retrieve the temp creds? |
Obtain web identity token file and role arn https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc Just like how you would set
You should set the above values for mc. |
@harshavardhana I added MC_HOST_s3=https://s3.amazonaws.com and I have the envs AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token as well. Looks it it trying to use them but I'm getting Do You have any idea if something is still missing or maybe the role is not taken properly? I can see in AWS console that the role is not used in my last hours. |
There is 403 error and Access Denied in debug mode to S3 bucket. |
Looks like the MC_HOST_s3 is not taking the temporary Access Key, Secret Key and Session Token into account We have MC_HOST_s3=https://s3.amazonaws.com/ But how to retrieve these values? |
@robert-pudlowski-mox with mc you must
|
@harshavardhana sure! I already checked it as well but nothing has changed. My minio deployment definition: ENVS:
But the issue is still the same |
I have the IAM role assigned to service account which is used by pod. So it should be fine. It works for ILM with the role and service account. |
When you are doing this can you |
`mc ls --debug s3/xxxx-bucket mc: HTTP/1.1 403 Forbidden mc: TLS Certificate found: mc: HEAD / HTTP/1.1 mc: HTTP/1.1 403 Forbidden mc: TLS Certificate found: mc: Unable to list folder. Access Denied. |
And what are the environment variables set before using mc ? |
@harshavardhana what do You mean? All the envs which I adding to the deployment:
Nothing more :) There are of course some default environments which comes from EKS. Any idea how to deal with the STS for S3? |
And what is the version of mc - can you provide |
I use the minio image: minio/minio:RELEASE.2023-11-15T20-43-25Z |
Have you used latest mc? https://github.com/minio/mc/releases/tag/RELEASE.2023-11-15T22-45-58Z The mc inside MinIO container is not the latest |
ah I see your problem you have not set the |
In your ENV this must be set to perhaps |
@harshavardhana thanks man! it works. One more question. After adding the env MC_STS_ENDPOINT=https://sts.ap-east-1.amazonaws.com, now I can not add alias for local minio deployment which was working before: mc alias set myminio http://opencti-minio:9000 $MINIO_ACCESS_KEY $MINIO_SECRET_KEY Any idea how to make the S3 alias and minio local working? |
@robert-pudlowski-mox right now that is not possible - I have to think about adding that support. |
@harshavardhana so how can I copy files from local minio to S3 bucket if I'm not able to connect in the same time to local minio and S3 bucket? :D Now I can just send something to S3 bucket or I can only connect to local minio but not both. |
@harshavardhana and one more question, if I have the configuration setup for S3 bucket (MC_HOST_s3, MC_STS_ENDPOINT etc..) does the ilm which is already in place and setup for local minio and ilm with S3 tier will work? Or it will stop working? |
Correct this is something that needs to be fixed. |
mc changes won't affect ILM which is server side config. |
This is fully fixed here #4771 |
Expected behavior
I would like to set MC_HOST_s3 env using IAM role. I would like to generate temporary credentials for the AWS service.
Actual behavior
I can not install aws cli on minio in order to retrieve temporary credentials so I need to use AWS ACCESS AND SECRET KEY. I would like to use token.
Right now, there is just a feature to retrieve temporary credentials only for minio, but i want s3 bucket.
Steps to reproduce the behavior
I have minio with mc and i want to use my IAM role assigned to Pod in EKS in order to generate temporary credentials for s3 service
mc --version
RELEASE-2023-11-06T04-19-23Z
System information
The text was updated successfully, but these errors were encountered: