Skip to content

Enhance S3 to S3 Transfer Tutorial using AWS Temp Credentials (AWS STS Token) #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hemantxpatel opened this issue Dec 1, 2023 · 3 comments
Closed

Enhance S3 to S3 Transfer Tutorial using AWS Temp Credentials (AWS STS Token) #169

hemantxpatel opened this issue Dec 1, 2023 · 3 comments
Labels
stale

Comments

@hemantxpatel
Copy link
Contributor

Current Setup

Assuming Alice as a provider connector and Bob being consumer connector.
Bob's shares its actual AWS credential with Alice to initiate the file transfer. Bob should generate an AWS Temporary Token with limited access and expiry. Alice can misuse Bob's credentials.

Issue

MinIO has limited support of STS token. We can generate a STS token using AWS CLI

aws --endpoint-url http://localhost:9000 sts assume-role --policy '{"Version":"2012-10-17","Statement":[{"Sid":"S3Access","Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::*"}]}' --role-arn arn:xxx:xxx:xxx:xxxx --role-session-name anything --duration-seconds $((365 * 86400))

This command returns a response similar to:

{
    "Credentials": {
        "AccessKeyId": "6V6DRU6086RMH7D9LEN0",
        "SecretAccessKey": "PH8eyvr+5G7iydON8t2mgaTXgjH8JOFXlBQsphPa",
        "SessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiI2VjZEUlU2MDg2Uk1IN0Q5TEVOMCIsImV4cCI6MTczMjk2ODI0MiwicGFyZW50IjoiYWxpY2Vhd3NjbGllbnQiLCJzZXNzaW9uUG9saWN5IjoiZXlKV1pYSnphVzl1SWpvaU1qQXhNaTB4TUMweE55SXNJbE4wWVhSbGJXVnVkQ0k2VzNzaVUybGtJam9pVXpOQlkyTmxjM01pTENKRlptWmxZM1FpT2lKQmJHeHZkeUlzSWtGamRHbHZiaUk2SW5Nek9pb2lMQ0pTWlhOdmRYSmpaU0k2SW1GeWJqcGhkM002Y3pNNk9qb3FJbjFkZlE9PSJ9.9WvwmfUyeES0VxbPPzVH0fOdlh_Y394BcxCscZp4EszliIFqgpwNKaUe-OeE8SKyKHN3QM5IGCrjMPQAv0FAig",
        "Expiration": "2024-11-30T12:04:02+00:00"
    },
    "AssumedRoleUser": {
        "Arn": ""
    }
}

Now this new token is not accepted by MinIO. Alice`s connector-dataplane throws an error:

software.amazon.awssdk.services.s3.model.S3Exception: The Access Key Id you provided does not exist in our records.
@hemantxpatel hemantxpatel mentioned this issue Dec 1, 2023
Closed
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 2 weeks with no activity.

@github-actions github-actions bot added the stale label Feb 25, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 4, 2025

This issue was closed because it has been inactive for 7 days since being marked as stale.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 4, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 4, 2025

This issue was closed because it has been inactive for 7 days since being marked as stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hemantxpatel