New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add STSClientGrants and STSWebIdentity credential provider #1059
Conversation
af40956
to
dbb08c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you add examples for STSClientGrants and STSWebIdentity providers
Once merged they will be added on server side examples @poornas, I would refrain to add them here. It would be required to copy documentation from server code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment, LGTM otherwise
My intention was something like this @vadmeste package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"flag"
"fmt"
"log"
"net/http"
"net/url"
"strings"
minio "github.com/minio/minio-go"
"github.com/minio/minio-go/pkg/credentials"
)
// JWTToken - parses the output from IDP access token.
type JWTToken struct {
AccessToken string `json:"access_token"`
Expiry int `json:"expires_in"`
}
var (
stsEndpoint string
idpEndpoint string
clientID string
clientSecret string
)
func init() {
flag.StringVar(&stsEndpoint, "sts-ep", "http://localhost:9000", "STS endpoint")
flag.StringVar(&idpEndpoint, "idp-ep", "https://localhost:9443/oauth2/token", "IDP endpoint")
flag.StringVar(&clientID, "cid", "", "Client ID")
flag.StringVar(&clientSecret, "csec", "", "Client secret")
}
func getTokenExpiry() (*credentials.ClientGrantsToken, error)) {
data := url.Values{}
data.Set("grant_type", "client_credentials")
req, err := http.NewRequest(http.MethodPost, idpEndpoint, strings.NewReader(data.Encode()))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.SetBasicAuth(clientID, clientSecret)
t := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
}
hclient := http.Client{
Transport: t,
}
resp, err := hclient.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("%s", resp.Status)
}
var idpToken JWTToken
if err = json.NewDecoder(resp.Body).Decode(&idpToken); err != nil {
return nil, err
}
return &credentials.ClientGrantsToken{token: idpToken.AccessToken, expiry: idpToken.Expiry}, nil
}
func main() {
flag.Parse()
if clientID == "" || clientSecret == "" {
flag.PrintDefaults()
return
}
sts, err := credentials.NewSTSClientGrants(stsEndpoint, getTokenExpiry)
if err != nil {
log.Fatal(err)
}
// Uncommend this to use Minio API operations by initializing minio
// client with obtained credentials.
opts := &minio.Options{
Creds: sts,
BucketLookup: minio.BucketLookupAuto,
}
clnt, err := minio.NewWithOptions(stsEndpoint, opts)
if err != nil {
log.Fatal(err)
}
d := bytes.NewReader([]byte("Hello, World"))
n, err := clnt.PutObject("my-bucketname", "my-objectname", d, d.Size(), minio.PutObjectOptions{})
if err != nil {
log.Fatalln(err)
}
log.Println("Uploaded", "my-objectname", " of size: ", n, "Successfully.")
} |
dbb08c8
to
82c8ff2
Compare
Both provider implements a way to retrieve temporary credentials from Minio STS service - using client grants token (Only Minio) - using web identity token (Both Minio and AWS) These temporary credentials will be used to perform API operations, to be used with applications which are never using static credentials.
82c8ff2
to
1f31cec
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Both provider implements a way to retrieve temporary
credentials from Minio STS service
These temporary credentials will be used to perform API
operations, to be used with applications which are never
using static credentials.