Add support for temporary credentials

[poornas]

fixes #285 by accepting sessiontoken as optional client
constructor parameter, and passing X-Amz-Security-Token
if sessionToken is set

Testing:

1. set up OPA and wso2 using STS quickstart
2. start minio server with MINIO_IAM_JWKS_URL and MINIO_IAM_OPA_URL set
3. Then, get session token and temp credentials from

 aws --endpoint-url=http://localhost:9000 sts assume-role-with-web-identity --role-arn aws:arn:wwffffwfer123123123123 --role-session-name RoleName --web-identity-token eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJEVE5PUlBrNWJuZ2duQ3pfeUZjc2YzT0ZuZ01hIiwiYXpwIjoiRFROT1JQazVibmdnbkN6X3lGY3NmM09GbmdNYSIsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTU0OTY2MzM2MSwiaWF0IjoxNTQ5NjU5NzYxLCJqdGkiOiJiNTNmMDYzOC1lN2M3LTQxYjgtYTdmNi1hNTY0YmQwODZmOTIifQ.Y-cIRh7fwnqRr2efTHlgt0gYEgxcLBCafN9dLYRiPF4PSu8bvZLXIrGNNa02Sqct3G7sXjO7oiwA5ifd2JC_CsMx2P6Z63xIO_O7Ct1CvD8kiNYdlRi6hK4QEx3pFlHRyeGUAjxFoZU_0-kg_sxycOTAYcekIBoRN-MGDOkujWGuqHYCfG59kuFG8tgKO4q0rWWUWZgF1G4UQKQUQj2_it0IQwLETGQFbYjIHmDD7wSKvR_Xmv4o0w1doMeh0FqUH95f5cGNJMAV8hfxk6LINaSJad3RlYDexVhFobQRxVqhD1LHHp215hEJ_luWbbNCPUUMOiHhiMH06hbMQ2bt9w --provider-id myserviceprovider
{
    "AssumedRoleUser": {
        "Arn": ""
    }, 
    "Credentials": {
        "SecretAccessKey": "UEHvPQz16K5IC4n37Kj0kvSZx2iXcxwH+udBi9nt", 
        "SessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJONjFDNVA2TTFQT01NR01YTEw0ViIsImF1ZCI6IkRUTk9SUGs1Ym5nZ25Del95RmNzZjNPRm5nTWEiLCJhenAiOiJEVE5PUlBrNWJuZ2duQ3pfeUZjc2YzT0ZuZ01hIiwiZXhwIjoNTQ5NjYzMzYxLCJpYXQiOjE1NDk2NTk3NjEsIm

4. connect to minio server with temp credentials and session token set

                minioClient = new Minio.MinioClient(endPoint, accessKey, secretKey,sessionToken:sessionToken);

operations which opa policy permits should complete successfully.

[antonchaika]

I can't setup OPA for Windows. Is there any alternatives or other way to grant access? I've installed Minio client v3.0.4 but have response: Access Denied. I supposed I've missed OPA configration, have I?

[harshavardhana]

You can use OPA or provide a custom claim in jwt as "policy" - some IDPs provide a way to do it.

https://github.com/minio/minio/blob/master/docs/sts/wso2.md#4-jwt-claims

[poornas]

@antonchaika, did you follow the opa setup here. You can run opa using docker-compose and set up policies. Have you tried that?

[antonchaika]

@harshavardhana thx for reply. What values should I use in custom JWT claim "policy"? I've found how to add custom claim in my IDP. Now can you please explain values in this "policy" claim?

[harshavardhana]

The policy is your custom policy which you can create on minio with mc admin policy command

[harshavardhana]

This policy will be applied to all your rotating credentials automatically based on the jwt claims. You don't need to use OPA - this is infact our recommended way.

[antonchaika]

@harshavardhana, @poornas thx a lot! I've accomplished the result I wanted 🥇. Much appreciate for your support and quick SDK release.