Support for Assume Role

[hardbyte]

This is a feature request for the Python API to support Assume Role.

[harshavardhana]

Feel free to send a PR @hardbyte - we already support credentials mechanism https://github.com/minio/minio-py/tree/master/minio/credentials

[hardbyte]

Thanks @harshavardhana I had a brief look at this and I think it would involve modifying the sign_v4 API in signer.py as the request has to be signed for the service sts instead of s3 in generate_signing_key(). If you're happy to have service="s3" as an optional parameter I could probably put together a PR.

[hardbyte]

How about something like this? https://gist.github.com/hardbyte/8d6261154b5c840a0f29e6d34cb181c9

Before making a PR I'm not sure if assume_role() should hang off the Minio object, or perhaps as a standalone function?

[harshavardhana]

How about something like this? https://gist.github.com/hardbyte/8d6261154b5c840a0f29e6d34cb181c9

Before making a PR I'm not sure if assume_role() should hang off the Minio object, or perhaps as a standalone function?

It should be credentials object similar in style to other implementations

[hardbyte]

Sure that is why I'm proposing returning a Credentials instance (see here)

Are you happy for assume_role to be a method of Minio, or should it be a top level function?

Or do you mean there should be a new class e.g. AssumeRoleCredentials as the main interface? I suspect that wouldn't be that clean as you need to have (non-root) credentials to assume a role.

My current assume_role api takes these parameters:

:param mc: Minio client needed to get endpoint, and credentials for the assume role request.
:param RoleArn: Ignored by minio, but required by STS.
param RoleSessionName: Ignored by minio, but required by STS.
:param Policy: Optional policy dict.
:param DurationSeconds: Number of seconds the assume role credentials will remain valid.

[harshavardhana]

Are you happy for assume_role to be a method of Minio, or should it be a top level function?

it shouldn't be a method of Minio constructor it should be just a credentials mechanism @hardbyte

[hardbyte]

Sweet that is not a big change from my gist prototype - I'll make a new AssumeRoleCredentials class - again I'll note that it will require an existing minio client as a constructor argument.

One other observation is that a primary reason for using AssumeRole is to then serialize the credentials to share with a user (e.g. for uploading to the object store).