minio/minio
STS
MinIO implements an AWS-compatible Security Token Service (STS) for issuing short-lived credentials. The handlers live in cmd/sts-handlers.go. They aren't mounted under a versioned prefix; they answer at the root path with ?Action=... query parameters, matching AWS.
Endpoints
| Action | What it does |
|---|---|
AssumeRole |
Native role-assume by an IAM user/root. |
AssumeRoleWithLDAPIdentity |
LDAP login → temp credentials. |
AssumeRoleWithWebIdentity |
OIDC ID token → temp credentials. |
AssumeRoleWithClientGrants |
OAuth2 client-credentials flow. |
AssumeRoleWithCertificate |
mTLS client certificate → temp credentials. |
AssumeRoleWithCustomToken |
Plug-in IDP token → temp credentials. |
GetSessionToken |
Self-issued session token for an existing IAM principal. |
Wire format
XML responses matching the AWS STS schema. Errors follow the AWS error envelope (<ErrorResponse><Error>...).
Validation
| Endpoint | What's validated |
|---|---|
AssumeRole |
SigV4 signature against the caller's parent credentials. |
AssumeRoleWithLDAPIdentity |
LDAP bind + group lookup via internal/config/identity/ldap/. |
AssumeRoleWithWebIdentity |
ID-token signature, issuer, audience via coreos/go-oidc/v3. |
AssumeRoleWithCertificate |
TLS handshake produced an accepted client cert; CA in internal/config/identity/tls/. |
AssumeRoleWithCustomToken |
HTTP webhook check via internal/config/identity/plugin/. |
Session policy
Every issued credential carries an embedded session policy. By default it equals the parent principal's effective policy; a request can pass Policy=... to further narrow it. The cluster signs the credentials with the cluster shared secret so any peer accepts them without an extra round trip.
Lifetime
- Default 1 hour, configurable up to a cap (
MINIO_STS_DURATION_SECONDS). - Web Identity tokens inherit their max lifetime from the IDP's
expclaim.
Errors
Defined in cmd/sts-errors.go with the matching string table in cmd/stserrorcode_string.go. Common ones:
InvalidIdentityToken— token validation failed.InvalidParameterValue— bad request shape.InvalidParameterCombination— incompatible flags.IDPCommunicationError— IDP unreachable.MalformedPolicyDocument— supplied session policy doesn't parse.
See also
- External identity and SSO — the cross-system view.
- IAM and STS — the runtime view.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.