Closed dkocher closed 1 year ago
well, I'd love to req. for the Minio S3/STS + Azure AD (OIDC)
combo!
which is not listed above, but I assume keycloak's workflow or Azure shall be similar...
well, I'd love to req. for the
Minio S3/STS + Azure AD (OIDC)
combo! which is not listed above, but I assume keycloak's workflow or Azure shall be similar...
This will be the same as this ^1 sample with the addition of the custom STS API endpoint defaults to sts.amazonaws.com
using
<key>STS Endpoint</key>
<string>http://localhost:9000</string>
→ https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
With support to retrieve authentication tokens for S3 using the STS APIs ^2 we should provide (sample) connection profiles for typical providers supported.
General connection profile blueprint
🟢 AWS S3/STS + Keycloak (OIDC)
🟢 Minio S3/STS + Keycloak (OIDC)
🟥 AWS S3/STS + GitHub (OIDC) ^3
Prerequisites
https://token.actions.githubusercontent.com
to AWS IAM. For the Audience: Usests.amazonaws.com
^7❗ Currently not possible to integrate because the id-token endpoint does only seem to be accessible from GitHub actions.
🟢 AWS S3/STS + Google (OIDC) ^5
996125414232-s922bvdt21nceeh5dq1gb6av8plpj7hr.apps.googleusercontent.com
.In the sample configuration the custom trust policy set for the IAM role in AWS, the condition limits access to a particular Google Account using
SUBJECT_ID
can be obtained from the service account or regular account in the ID token returned fromPOST https://accounts.google.com/o/oauth2/token
decoded as JWT.s3.assumerole.rolearn
in the connection profile to the Role ARN. Set it tos3.assumerole.rolearn=
for a prompt to enter on login.🟥 AWS S3/STS + AWS IAM Identity Center ^8
Use the S3 (Credentials from AWS Command Line Interface) connection profile instead.
🟢 AWS S3/STS + Azure AD (OIDC)
https://login.microsoftonline.com/<tenant>/v2.0
. The Audience must be set to the OAuth Client ID likef40bc18f-cd02-4212-b7f1-15243e4e2ad3
.s3.assumerole.rolearn
in the connection profile to the Role ARN. Set it tos3.assumerole.rolearn=
for a prompt to enter on login.