Add MinIO storage profile command#317
Closed
daniel-marthaler wants to merge 1 commit intoshift7-ch:issues/83-vaultproviderfrom
Closed
Add MinIO storage profile command#317daniel-marthaler wants to merge 1 commit intoshift7-ch:issues/83-vaultproviderfrom
daniel-marthaler wants to merge 1 commit intoshift7-ch:issues/83-vaultproviderfrom
Conversation
MinIO does not support AWS-style role chaining (AssumeRole with tagged sessions using temporary STS credentials). When stsRoleAccessBucketAssumeRoleTaggedSession was set in a MinIO storage profile, the client attempted a second AssumeRole call after the initial AssumeRoleWithWebIdentity, which failed. Changes: - STSChainedAssumeRoleRequestInterceptor: Skip role chaining when STS endpoint is non-AWS (custom endpoint like MinIO) - Add MinioSTSStorageProfile CLI command to correctly create MinIO storage profiles without role chaining fields - Register MinIO subcommand in StorageProfile Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dkocher
requested changes
Mar 28, 2026
| @@ -76,6 +76,11 @@ public TemporaryAccessTokens assumeRoleWithWebIdentity(final OAuthTokens oauth, | |||
| final PreferencesReader settings = HostPreferencesFactory.get(bookmark); | |||
| final TemporaryAccessTokens tokens = super.assumeRoleWithWebIdentity(this.tokenExchange(oauth), settings.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_WEBIDENTITY)); | |||
| if(StringUtils.isNotBlank(settings.getProperty(S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_TAG))) { | |||
Contributor
There was a problem hiding this comment.
The stsRoleAccessBucketAssumeRoleTaggedSession setting in the storage profile configuration is mapped to the S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN_TAG setting and should be already null as shown above in the CLI setup. Thus the additional check for the STS endpoint is redundant.
dkocher
changed the title
Contributor
|
Replaced with #323. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
STSChainedAssumeRoleRequestInterceptornow detects non-AWS STS endpoints and skips the secondAssumeRolecall. MinIO does not support role chaining with temporary STS credentials.katta storageprofile minio stsCLI command: Creates MinIO storage profiles correctly withoutstsRoleAccessBucketAssumeRoleTaggedSessionandstsSessionTag(which are AWS-only).StorageProfilecommand hierarchy.Background
When a MinIO storage profile had
stsRoleAccessBucketAssumeRoleTaggedSessionset, the desktop client attempted AWS-style role chaining afterAssumeRoleWithWebIdentity. MinIO does not supportAssumeRolewith temporary STS credentials — it uses${jwt:client_id}policy variables instead to scope bucket access per vault.Changes
STSChainedAssumeRoleRequestInterceptor.javaStorageProfile.javaminio/MinIO.javaminio/MinioSTSStorageProfile.javaTest plan
katta storageprofile minio stscommand creates correct profile🤖 Generated with Claude Code