Documentation ¶
Overview ¶
Package credentials provides credential retrieval and management for S3 compatible object storage.
By default the Credentials.Get() will cache the successful result of a Provider's Retrieve() until Provider.IsExpired() returns true. At which point Credentials will call Provider's Retrieve() to get new credential Value.
The Provider is responsible for determining when credentials have expired. It is also important to note that Credentials will always call Retrieve the first time Credentials.Get() is called.
Example of using the environment variable credentials.
creds := NewFromEnv() // Retrieve the credentials value credValue, err := creds.Get() if err != nil { // handle error }
Example of forcing credentials to expire and be refreshed on the next Get(). This may be helpful to proactively expire credentials and refresh them sooner than they would naturally expire on their own.
creds := NewFromIAM("") creds.Expire() credsValue, err := creds.Get() // New credentials will be retrieved instead of from cache.
Custom Provider ¶
Each Provider built into this package also provides a helper method to generate a Credentials pointer setup with the provider. To use a custom Provider just create a type which satisfies the Provider interface and pass it to the NewCredentials method.
type MyProvider struct{} func (m *MyProvider) Retrieve() (Value, error) {...} func (m *MyProvider) IsExpired() bool {...} creds := NewCredentials(&MyProvider{}) credValue, err := creds.Get()
Index ¶
- Constants
- func WithPolicy(policy string) func(*STSWebIdentity)
- type AssumeRoleResponse
- type AssumeRoleResult
- type AssumeRoleWithClientGrantsResponse
- type AssumeRoleWithCustomTokenResponse
- type AssumeRoleWithLDAPResponse
- type AssumeRoleWithWebIdentityResponse
- type AssumedRoleUser
- type CertificateIdentityOption
- type Chain
- type ClientGrantsResult
- type ClientGrantsToken
- type Credentials
- func New(provider Provider) *Credentials
- func NewChainCredentials(providers []Provider) *Credentials
- func NewCustomTokenCredentials(stsEndpoint, token, roleArn string, optFuncs ...CustomTokenOpt) (*Credentials, error)
- func NewEnvAWS() *Credentials
- func NewEnvMinio() *Credentials
- func NewFileAWSCredentials(filename, profile string) *Credentials
- func NewFileMinioClient(filename, alias string) *Credentials
- func NewIAM(endpoint string) *Credentials
- func NewKubernetesIdentity(stsEndpoint string, opts ...func(*STSWebIdentity)) (*Credentials, error)
- func NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword string, optFuncs ...LDAPIdentityOpt) (*Credentials, error)
- func NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, policy string) (*Credentials, error)deprecated
- func NewSTSAssumeRole(stsEndpoint string, opts STSAssumeRoleOptions) (*Credentials, error)
- func NewSTSCertificateIdentity(endpoint string, certificate tls.Certificate, ...) (*Credentials, error)
- func NewSTSClientGrants(stsEndpoint string, ...) (*Credentials, error)
- func NewSTSWebIdentity(stsEndpoint string, getWebIDTokenExpiry func() (*WebIdentityToken, error), ...) (*Credentials, error)
- func NewStatic(id, secret, token string, signerType SignatureType) *Credentials
- func NewStaticV2(id, secret, token string) *Credentials
- func NewStaticV4(id, secret, token string) *Credentials
- type CustomTokenIdentity
- type CustomTokenOpt
- type CustomTokenResult
- type EnvAWS
- type EnvMinio
- type Error
- type ErrorResponse
- type Expiry
- type FileAWSCredentials
- type FileMinioClient
- type IAM
- type LDAPIdentity
- type LDAPIdentityOpt
- type LDAPIdentityResult
- type Provider
- type STSAssumeRole
- type STSAssumeRoleOptions
- type STSCertificateIdentity
- type STSClientGrants
- type STSWebIdentity
- type SignatureType
- type Static
- type Value
- type WebIdentityResult
- type WebIdentityToken
Constants ¶
const ( DefaultIAMRoleEndpoint = "http://169.254.169.254" DefaultECSRoleEndpoint = "http://169.254.170.2" DefaultSTSRoleEndpoint = "https://sts.amazonaws.com" DefaultIAMSecurityCredsPath = "/latest/meta-data/iam/security-credentials/" TokenRequestTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" TokenPath = "/latest/api/token" TokenTTL = "21600" TokenRequestHeader = "X-aws-ec2-metadata-token" )
IAM Roles for Amazon EC2 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
const DefaultExpiryWindow = -1
DefaultExpiryWindow - Default expiry window. ExpiryWindow will allow the credentials to trigger refreshing prior to the credentials actually expiring. This is beneficial so race conditions with expiring credentials do not cause request to fail unexpectedly due to ExpiredTokenException exceptions. DefaultExpiryWindow can be used as parameter to (*Expiry).SetExpiration. When used the tokens refresh will be triggered when 80% of the elapsed time until the actual expiration time is passed.
const (
// STSVersion sts version string
STSVersion = "2011-06-15"
)
Variables ¶
This section is empty.
Functions ¶
func WithPolicy ¶ added in v7.0.78
func WithPolicy(policy string) func(*STSWebIdentity)
WithPolicy option will enforce that the returned credentials will be scoped down to the specified policy
Types ¶
type AssumeRoleResponse ¶
type AssumeRoleResponse struct { XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleResponse" json:"-"` Result AssumeRoleResult `xml:"AssumeRoleResult"` ResponseMetadata struct { RequestID string `xml:"RequestId,omitempty"` } `xml:"ResponseMetadata,omitempty"` }
AssumeRoleResponse contains the result of successful AssumeRole request.
type AssumeRoleResult ¶
type AssumeRoleResult struct { // The identifiers for the temporary security credentials that the operation // returns. AssumedRoleUser AssumedRoleUser `xml:",omitempty"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security (or session) token. // // Note: The size of the security token that STS APIs return is not fixed. We // strongly recommend that you make no assumptions about the maximum size. As // of this writing, the typical size is less than 4096 bytes, but that can vary. // Also, future updates to AWS might require larger sizes. Credentials struct { AccessKey string `xml:"AccessKeyId" json:"accessKey,omitempty"` SecretKey string `xml:"SecretAccessKey" json:"secretKey,omitempty"` Expiration time.Time `xml:"Expiration" json:"expiration,omitempty"` SessionToken string `xml:"SessionToken" json:"sessionToken,omitempty"` } `xml:",omitempty"` // A percentage value that indicates the size of the policy in packed form. // The service rejects any policy with a packed size greater than 100 percent, // which means the policy exceeded the allowed space. PackedPolicySize int `xml:",omitempty"` }
AssumeRoleResult - Contains the response to a successful AssumeRole request, including temporary credentials that can be used to make MinIO API requests.
type AssumeRoleWithClientGrantsResponse ¶
type AssumeRoleWithClientGrantsResponse struct { XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithClientGrantsResponse" json:"-"` Result ClientGrantsResult `xml:"AssumeRoleWithClientGrantsResult"` ResponseMetadata struct { RequestID string `xml:"RequestId,omitempty"` } `xml:"ResponseMetadata,omitempty"` }
AssumeRoleWithClientGrantsResponse contains the result of successful AssumeRoleWithClientGrants request.
type AssumeRoleWithCustomTokenResponse ¶ added in v7.0.27
type AssumeRoleWithCustomTokenResponse struct { XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithCustomTokenResponse" json:"-"` Result CustomTokenResult `xml:"AssumeRoleWithCustomTokenResult"` Metadata struct { RequestID string `xml:"RequestId,omitempty"` } `xml:"ResponseMetadata,omitempty"` }
AssumeRoleWithCustomTokenResponse contains the result of a successful AssumeRoleWithCustomToken request.
type AssumeRoleWithLDAPResponse ¶
type AssumeRoleWithLDAPResponse struct { XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithLDAPIdentityResponse" json:"-"` Result LDAPIdentityResult `xml:"AssumeRoleWithLDAPIdentityResult"` ResponseMetadata struct { RequestID string `xml:"RequestId,omitempty"` } `xml:"ResponseMetadata,omitempty"` }
AssumeRoleWithLDAPResponse contains the result of successful AssumeRoleWithLDAPIdentity request
type AssumeRoleWithWebIdentityResponse ¶
type AssumeRoleWithWebIdentityResponse struct { XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"` Result WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"` ResponseMetadata struct { RequestID string `xml:"RequestId,omitempty"` } `xml:"ResponseMetadata,omitempty"` }
AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.
type AssumedRoleUser ¶
AssumedRoleUser - The identifiers for the temporary security credentials that the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
type CertificateIdentityOption ¶ added in v7.0.15
type CertificateIdentityOption func(*STSCertificateIdentity)
CertificateIdentityOption is an optional AssumeRoleWithCertificate parameter - e.g. a custom HTTP transport configuration or S3 credental livetime.
func CertificateIdentityWithExpiry ¶ added in v7.0.15
func CertificateIdentityWithExpiry(livetime time.Duration) CertificateIdentityOption
CertificateIdentityWithExpiry returns a CertificateIdentityOption that customizes the STSCertificateIdentity with the given livetime.
Fetched S3 credentials will have the given livetime if the STS server allows such credentials.
func CertificateIdentityWithTransport ¶ added in v7.0.15
func CertificateIdentityWithTransport(t http.RoundTripper) CertificateIdentityOption
CertificateIdentityWithTransport returns a CertificateIdentityOption that customizes the STSCertificateIdentity with the given http.RoundTripper.
type Chain ¶
type Chain struct { Providers []Provider // contains filtered or unexported fields }
A Chain will search for a provider which returns credentials and cache that provider until Retrieve is called again.
The Chain provides a way of chaining multiple providers together which will pick the first available using priority order of the Providers in the list.
If none of the Providers retrieve valid credentials Value, ChainProvider's Retrieve() will return the no credentials value.
If a Provider is found which returns valid credentials Value ChainProvider will cache that Provider for all calls to IsExpired(), until Retrieve is called again after IsExpired() is true.
creds := credentials.NewChainCredentials( []credentials.Provider{ &credentials.EnvAWSS3{}, &credentials.EnvMinio{}, }) // Usage of ChainCredentials. mc, err := minio.NewWithCredentials(endpoint, creds, secure, "us-east-1") if err != nil { log.Fatalln(err) }
func (*Chain) IsExpired ¶
IsExpired will returned the expired state of the currently cached provider if there is one. If there is no current provider, true will be returned.
type ClientGrantsResult ¶
type ClientGrantsResult struct { AssumedRoleUser AssumedRoleUser `xml:",omitempty"` Audience string `xml:",omitempty"` Credentials struct { AccessKey string `xml:"AccessKeyId" json:"accessKey,omitempty"` SecretKey string `xml:"SecretAccessKey" json:"secretKey,omitempty"` Expiration time.Time `xml:"Expiration" json:"expiration,omitempty"` SessionToken string `xml:"SessionToken" json:"sessionToken,omitempty"` } `xml:",omitempty"` PackedPolicySize int `xml:",omitempty"` Provider string `xml:",omitempty"` SubjectFromClientGrantsToken string `xml:",omitempty"` }
ClientGrantsResult - Contains the response to a successful AssumeRoleWithClientGrants request, including temporary credentials that can be used to make MinIO API requests.
type ClientGrantsToken ¶
ClientGrantsToken - client grants token with expiry.
type Credentials ¶
Credentials - A container for synchronous safe retrieval of credentials Value. Credentials will cache the credentials value until they expire. Once the value expires the next Get will attempt to retrieve valid credentials.
Credentials is safe to use across multiple goroutines and will manage the synchronous state so the Providers do not need to implement their own synchronization.
The first Credentials.Get() will always call Provider.Retrieve() to get the first instance of the credentials Value. All calls to Get() after that will return the cached credentials Value until IsExpired() returns true.
func New ¶
func New(provider Provider) *Credentials
New returns a pointer to a new Credentials with the provider set.
func NewChainCredentials ¶
func NewChainCredentials(providers []Provider) *Credentials
NewChainCredentials returns a pointer to a new Credentials object wrapping a chain of providers.
func NewCustomTokenCredentials ¶ added in v7.0.27
func NewCustomTokenCredentials(stsEndpoint, token, roleArn string, optFuncs ...CustomTokenOpt) (*Credentials, error)
NewCustomTokenCredentials - returns credentials using the AssumeRoleWithCustomToken STS API.
func NewEnvAWS ¶
func NewEnvAWS() *Credentials
NewEnvAWS returns a pointer to a new Credentials object wrapping the environment variable provider.
func NewEnvMinio ¶
func NewEnvMinio() *Credentials
NewEnvMinio returns a pointer to a new Credentials object wrapping the environment variable provider.
func NewFileAWSCredentials ¶
func NewFileAWSCredentials(filename, profile string) *Credentials
NewFileAWSCredentials returns a pointer to a new Credentials object wrapping the Profile file provider.
func NewFileMinioClient ¶
func NewFileMinioClient(filename, alias string) *Credentials
NewFileMinioClient returns a pointer to a new Credentials object wrapping the Alias file provider.
func NewIAM ¶
func NewIAM(endpoint string) *Credentials
NewIAM returns a pointer to a new Credentials object wrapping the IAM.
func NewKubernetesIdentity ¶ added in v7.0.78
func NewKubernetesIdentity(stsEndpoint string, opts ...func(*STSWebIdentity)) (*Credentials, error)
NewKubernetesIdentity returns a pointer to a new Credentials object using the Kubernetes service account
func NewLDAPIdentity ¶
func NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword string, optFuncs ...LDAPIdentityOpt) (*Credentials, error)
NewLDAPIdentity returns new credentials object that uses LDAP Identity.
func NewLDAPIdentityWithSessionPolicy
deprecated
added in
v7.0.13
func NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, policy string) (*Credentials, error)
NewLDAPIdentityWithSessionPolicy returns new credentials object that uses LDAP Identity with a specified session policy. The `policy` parameter must be a JSON string specifying the policy document.
Deprecated: Use the `LDAPIdentityPolicyOpt` with `NewLDAPIdentity` instead.
func NewSTSAssumeRole ¶
func NewSTSAssumeRole(stsEndpoint string, opts STSAssumeRoleOptions) (*Credentials, error)
NewSTSAssumeRole returns a pointer to a new Credentials object wrapping the STSAssumeRole.
func NewSTSCertificateIdentity ¶ added in v7.0.15
func NewSTSCertificateIdentity(endpoint string, certificate tls.Certificate, options ...CertificateIdentityOption) (*Credentials, error)
NewSTSCertificateIdentity returns a STSCertificateIdentity that authenticates to the given STS endpoint with the given TLS certificate and retrieves and rotates S3 credentials.
func NewSTSClientGrants ¶
func NewSTSClientGrants(stsEndpoint string, getClientGrantsTokenExpiry func() (*ClientGrantsToken, error)) (*Credentials, error)
NewSTSClientGrants returns a pointer to a new Credentials object wrapping the STSClientGrants.
func NewSTSWebIdentity ¶
func NewSTSWebIdentity(stsEndpoint string, getWebIDTokenExpiry func() (*WebIdentityToken, error), opts ...func(*STSWebIdentity)) (*Credentials, error)
NewSTSWebIdentity returns a pointer to a new Credentials object wrapping the STSWebIdentity.
func NewStatic ¶
func NewStatic(id, secret, token string, signerType SignatureType) *Credentials
NewStatic returns a pointer to a new Credentials object wrapping a static credentials value provider.
func NewStaticV2 ¶
func NewStaticV2(id, secret, token string) *Credentials
NewStaticV2 returns a pointer to a new Credentials object wrapping a static credentials value provider, signature is set to v2. If access and secret are not specified then regardless of signature type set it Value will return as anonymous.
func NewStaticV4 ¶
func NewStaticV4(id, secret, token string) *Credentials
NewStaticV4 is similar to NewStaticV2 with similar considerations.
func (*Credentials) Expire ¶
func (c *Credentials) Expire()
Expire expires the credentials and forces them to be retrieved on the next call to Get().
This will override the Provider's expired state, and force Credentials to call the Provider's Retrieve().
func (*Credentials) Get ¶
func (c *Credentials) Get() (Value, error)
Get returns the credentials value, or error if the credentials Value failed to be retrieved.
Will return the cached credentials Value if it has not expired. If the credentials Value has expired the Provider's Retrieve() will be called to refresh the credentials.
If Credentials.Expire() was called the credentials Value will be force expired, and the next call to Get() will cause them to be refreshed.
func (*Credentials) IsExpired ¶
func (c *Credentials) IsExpired() bool
IsExpired returns if the credentials are no longer valid, and need to be refreshed.
If the Credentials were forced to be expired with Expire() this will reflect that override.
type CustomTokenIdentity ¶ added in v7.0.27
type CustomTokenIdentity struct { Expiry Client *http.Client // MinIO server STS endpoint to fetch STS credentials. STSEndpoint string // The custom token to use with the request. Token string // RoleArn associated with the identity RoleArn string // RequestedExpiry is to set the validity of the generated credentials // (this value bounded by server). RequestedExpiry time.Duration }
CustomTokenIdentity - satisfies the Provider interface, and retrieves credentials from MinIO using the AssumeRoleWithCustomToken STS API.
func (*CustomTokenIdentity) Retrieve ¶ added in v7.0.27
func (c *CustomTokenIdentity) Retrieve() (value Value, err error)
Retrieve - to satisfy Provider interface; fetches credentials from MinIO.
type CustomTokenOpt ¶ added in v7.0.27
type CustomTokenOpt func(*CustomTokenIdentity)
CustomTokenOpt is a function type to configure the custom-token based credentials using NewCustomTokenCredentials.
func CustomTokenValidityOpt ¶ added in v7.0.27
func CustomTokenValidityOpt(d time.Duration) CustomTokenOpt
CustomTokenValidityOpt sets the validity duration of the requested credentials. This value is ignored if the server enforces a lower validity period.
type CustomTokenResult ¶ added in v7.0.27
type CustomTokenResult struct { Credentials struct { AccessKey string `xml:"AccessKeyId"` SecretKey string `xml:"SecretAccessKey"` Expiration time.Time `xml:"Expiration"` SessionToken string `xml:"SessionToken"` } `xml:",omitempty"` AssumedUser string `xml:",omitempty"` }
CustomTokenResult - Contains temporary creds and user metadata.
type EnvAWS ¶
type EnvAWS struct {
// contains filtered or unexported fields
}
A EnvAWS retrieves credentials from the environment variables of the running process. EnvAWSironment credentials never expire.
EnvAWSironment variables used:
* Access Key ID: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY. * Secret Access Key: AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY. * Secret Token: AWS_SESSION_TOKEN.
type EnvMinio ¶
type EnvMinio struct {
// contains filtered or unexported fields
}
A EnvMinio retrieves credentials from the environment variables of the running process. EnvMinioironment credentials never expire.
Environment variables used:
* Access Key ID: MINIO_ACCESS_KEY. * Secret Access Key: MINIO_SECRET_KEY. * Access Key ID: MINIO_ROOT_USER. * Secret Access Key: MINIO_ROOT_PASSWORD.
type Error ¶ added in v7.0.21
type Error struct { XMLName xml.Name `xml:"Error" json:"-"` Code string Message string BucketName string Key string Resource string RequestID string `xml:"RequestId"` HostID string `xml:"HostId"` // Region where the bucket is located. This header is returned // only in HEAD bucket and ListObjects response. Region string // Captures the server string returned in response header. Server string // Underlying HTTP status code for the returned error StatusCode int `xml:"-" json:"-"` }
Error - Is the typed error returned by all API operations.
type ErrorResponse ¶ added in v7.0.19
type ErrorResponse struct { XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"` STSError struct { Type string `xml:"Type"` Code string `xml:"Code"` Message string `xml:"Message"` } `xml:"Error"` RequestID string `xml:"RequestId"` }
ErrorResponse - Is the typed error returned. ErrorResponse struct should be comparable since it is compared inside golang http API (https://github.com/golang/go/issues/29768)
func (ErrorResponse) Error ¶ added in v7.0.19
func (e ErrorResponse) Error() string
Error - Returns STS error string.
type Expiry ¶
type Expiry struct { // If set will be used by IsExpired to determine the current time. // Defaults to time.Now if CurrentTime is not set. CurrentTime func() time.Time // contains filtered or unexported fields }
A Expiry provides shared expiration logic to be used by credentials providers to implement expiry functionality.
The best method to use this struct is as an anonymous field within the provider's struct.
Example:
type IAMCredentialProvider struct { Expiry ... }
func (*Expiry) SetExpiration ¶
SetExpiration sets the expiration IsExpired will check when called.
If window is greater than 0 the expiration time will be reduced by the window value.
Using a window is helpful to trigger credentials to expire sooner than the expiration time given to ensure no requests are made with expired tokens.
type FileAWSCredentials ¶
type FileAWSCredentials struct { Expiry // Path to the shared credentials file. // // If empty will look for "AWS_SHARED_CREDENTIALS_FILE" env variable. If the // env value is empty will default to current user's home directory. // Linux/OSX: "$HOME/.aws/credentials" // Windows: "%USERPROFILE%\.aws\credentials" Filename string // AWS Profile to extract credentials from the shared credentials file. If empty // will default to environment variable "AWS_PROFILE" or "default" if // environment variable is also not set. Profile string // contains filtered or unexported fields }
A FileAWSCredentials retrieves credentials from the current user's home directory, and keeps track if those credentials are expired.
Profile ini file example: $HOME/.aws/credentials
func (*FileAWSCredentials) Retrieve ¶
func (p *FileAWSCredentials) Retrieve() (Value, error)
Retrieve reads and extracts the shared credentials from the current users home directory.
type FileMinioClient ¶
type FileMinioClient struct { // Path to the shared credentials file. // // If empty will look for "MINIO_SHARED_CREDENTIALS_FILE" env variable. If the // env value is empty will default to current user's home directory. // Linux/OSX: "$HOME/.mc/config.json" // Windows: "%USERALIAS%\mc\config.json" Filename string // MinIO Alias to extract credentials from the shared credentials file. If empty // will default to environment variable "MINIO_ALIAS" or "s3" if // environment variable is also not set. Alias string // contains filtered or unexported fields }
A FileMinioClient retrieves credentials from the current user's home directory, and keeps track if those credentials are expired.
Configuration file example: $HOME/.mc/config.json
func (*FileMinioClient) IsExpired ¶
func (p *FileMinioClient) IsExpired() bool
IsExpired returns if the shared credentials have expired.
func (*FileMinioClient) Retrieve ¶
func (p *FileMinioClient) Retrieve() (Value, error)
Retrieve reads and extracts the shared credentials from the current users home directory.
type IAM ¶
type IAM struct { Expiry // Required http Client to use when connecting to IAM metadata service. Client *http.Client // Custom endpoint to fetch IAM role credentials. Endpoint string // Region configurable custom region for STS Region string // Support for container authorization token https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html Container struct { AuthorizationToken string AuthorizationTokenFile string CredentialsFullURI string CredentialsRelativeURI string } // EKS based k8s RBAC authorization - https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html EKSIdentity struct { TokenFile string RoleARN string RoleSessionName string } }
A IAM retrieves credentials from the EC2 service, and keeps track if those credentials are expired.
type LDAPIdentity ¶
type LDAPIdentity struct { Expiry // Required http Client to use when connecting to MinIO STS service. Client *http.Client // Exported STS endpoint to fetch STS credentials. STSEndpoint string // LDAP username/password used to fetch LDAP STS credentials. LDAPUsername, LDAPPassword string // Session policy to apply to the generated credentials. Leave empty to // use the full access policy available to the user. Policy string // RequestedExpiry is the configured expiry duration for credentials // requested from LDAP. RequestedExpiry time.Duration }
LDAPIdentity retrieves credentials from MinIO
func (*LDAPIdentity) Retrieve ¶
func (k *LDAPIdentity) Retrieve() (value Value, err error)
Retrieve gets the credential by calling the MinIO STS API for LDAP on the configured stsEndpoint.
type LDAPIdentityOpt ¶ added in v7.0.13
type LDAPIdentityOpt func(*LDAPIdentity)
LDAPIdentityOpt is a function type used to configured the LDAPIdentity instance.
func LDAPIdentityExpiryOpt ¶ added in v7.0.13
func LDAPIdentityExpiryOpt(d time.Duration) LDAPIdentityOpt
LDAPIdentityExpiryOpt sets the expiry duration for requested credentials.
func LDAPIdentityPolicyOpt ¶ added in v7.0.13
func LDAPIdentityPolicyOpt(policy string) LDAPIdentityOpt
LDAPIdentityPolicyOpt sets the session policy for requested credentials.
type LDAPIdentityResult ¶
type LDAPIdentityResult struct { Credentials struct { AccessKey string `xml:"AccessKeyId" json:"accessKey,omitempty"` SecretKey string `xml:"SecretAccessKey" json:"secretKey,omitempty"` Expiration time.Time `xml:"Expiration" json:"expiration,omitempty"` SessionToken string `xml:"SessionToken" json:"sessionToken,omitempty"` } `xml:",omitempty"` SubjectFromToken string `xml:",omitempty"` }
LDAPIdentityResult - contains credentials for a successful AssumeRoleWithLDAPIdentity request.
type Provider ¶
type Provider interface { // Retrieve returns nil if it successfully retrieved the value. // Error is returned if the value were not obtainable, or empty. Retrieve() (Value, error) // IsExpired returns if the credentials are no longer valid, and need // to be retrieved. IsExpired() bool }
A Provider is the interface for any component which will provide credentials Value. A provider is required to manage its own Expired state, and what to be expired means.
type STSAssumeRole ¶
type STSAssumeRole struct { Expiry // Required http Client to use when connecting to MinIO STS service. Client *http.Client // STS endpoint to fetch STS credentials. STSEndpoint string // various options for this request. Options STSAssumeRoleOptions }
A STSAssumeRole retrieves credentials from MinIO service, and keeps track if those credentials are expired.
func (*STSAssumeRole) Retrieve ¶
func (m *STSAssumeRole) Retrieve() (Value, error)
Retrieve retrieves credentials from the MinIO service. Error will be returned if the request fails.
type STSAssumeRoleOptions ¶
type STSAssumeRoleOptions struct { // Mandatory inputs. AccessKey string SecretKey string SessionToken string // Optional if the first request is made with temporary credentials. Policy string // Optional to assign a policy to the assumed role Location string // Optional commonly needed with AWS STS. DurationSeconds int // Optional defaults to 1 hour. // Optional only valid if using with AWS STS RoleARN string RoleSessionName string ExternalID string }
STSAssumeRoleOptions collection of various input options to obtain AssumeRole credentials.
type STSCertificateIdentity ¶ added in v7.0.15
type STSCertificateIdentity struct { Expiry // STSEndpoint is the base URL endpoint of the STS API. // For example, https://minio.local:9000 STSEndpoint string // S3CredentialLivetime is the duration temp. S3 access // credentials should be valid. // // It represents the access credential livetime requested // by the client. The STS server may choose to issue // temp. S3 credentials that have a different - usually // shorter - livetime. // // The default livetime is one hour. S3CredentialLivetime time.Duration // Client is the HTTP client used to authenticate and fetch // S3 credentials. // // A custom TLS client configuration can be specified by // using a custom http.Transport: // Client: http.Client { // Transport: &http.Transport{ // TLSClientConfig: &tls.Config{}, // }, // } Client http.Client }
A STSCertificateIdentity retrieves S3 credentials from the MinIO STS API and rotates those credentials once they expire.
func (*STSCertificateIdentity) Expiration ¶ added in v7.0.15
func (i *STSCertificateIdentity) Expiration() time.Time
Expiration returns the expiration time of the current S3 credentials.
func (*STSCertificateIdentity) Retrieve ¶ added in v7.0.15
func (i *STSCertificateIdentity) Retrieve() (Value, error)
Retrieve fetches a new set of S3 credentials from the configured STS API endpoint.
type STSClientGrants ¶
type STSClientGrants struct { Expiry // Required http Client to use when connecting to MinIO STS service. Client *http.Client // MinIO endpoint to fetch STS credentials. STSEndpoint string // getClientGrantsTokenExpiry function to retrieve tokens // from IDP This function should return two values one is // accessToken which is a self contained access token (JWT) // and second return value is the expiry associated with // this token. This is a customer provided function and // is mandatory. GetClientGrantsTokenExpiry func() (*ClientGrantsToken, error) }
A STSClientGrants retrieves credentials from MinIO service, and keeps track if those credentials are expired.
func (*STSClientGrants) Retrieve ¶
func (m *STSClientGrants) Retrieve() (Value, error)
Retrieve retrieves credentials from the MinIO service. Error will be returned if the request fails.
type STSWebIdentity ¶
type STSWebIdentity struct { Expiry // Required http Client to use when connecting to MinIO STS service. Client *http.Client // Exported STS endpoint to fetch STS credentials. STSEndpoint string // Exported GetWebIDTokenExpiry function which returns ID // tokens from IDP. This function should return two values // one is ID token which is a self contained ID token (JWT) // and second return value is the expiry associated with // this token. // This is a customer provided function and is mandatory. GetWebIDTokenExpiry func() (*WebIdentityToken, error) // RoleARN is the Amazon Resource Name (ARN) of the role that the caller is // assuming. RoleARN string // Policy is the policy where the credentials should be limited too. Policy string // contains filtered or unexported fields }
A STSWebIdentity retrieves credentials from MinIO service, and keeps track if those credentials are expired.
func (*STSWebIdentity) Expiration ¶
func (m *STSWebIdentity) Expiration() time.Time
Expiration returns the expiration time of the credentials
func (*STSWebIdentity) Retrieve ¶
func (m *STSWebIdentity) Retrieve() (Value, error)
Retrieve retrieves credentials from the MinIO service. Error will be returned if the request fails.
type SignatureType ¶
type SignatureType int
SignatureType is type of Authorization requested for a given HTTP request.
const ( // SignatureDefault is always set to v4. SignatureDefault SignatureType = iota SignatureV4 SignatureV2 SignatureV4Streaming SignatureAnonymous // Anonymous signature signifies, no signature. )
Different types of supported signatures - default is SignatureV4 or SignatureDefault.
func (SignatureType) IsAnonymous ¶
func (s SignatureType) IsAnonymous() bool
IsAnonymous - is signature empty?
func (SignatureType) IsStreamingV4 ¶
func (s SignatureType) IsStreamingV4() bool
IsStreamingV4 - is signature SignatureV4Streaming?
func (SignatureType) String ¶
func (s SignatureType) String() string
Stringer humanized version of signature type, strings returned here are case insensitive.
type Static ¶
type Static struct {
Value
}
A Static is a set of credentials which are set programmatically, and will never expire.
type Value ¶
type Value struct { // S3 Access key ID AccessKeyID string // S3 Secret Access Key SecretAccessKey string // S3 Session Token SessionToken string // Expiration of this credentials - null means no expiration associated Expiration time.Time // Signature Type. SignerType SignatureType }
A Value is the S3 credentials value for individual credential fields.
type WebIdentityResult ¶
type WebIdentityResult struct { AssumedRoleUser AssumedRoleUser `xml:",omitempty"` Audience string `xml:",omitempty"` Credentials struct { AccessKey string `xml:"AccessKeyId" json:"accessKey,omitempty"` SecretKey string `xml:"SecretAccessKey" json:"secretKey,omitempty"` Expiration time.Time `xml:"Expiration" json:"expiration,omitempty"` SessionToken string `xml:"SessionToken" json:"sessionToken,omitempty"` } `xml:",omitempty"` PackedPolicySize int `xml:",omitempty"` Provider string `xml:",omitempty"` SubjectFromWebIdentityToken string `xml:",omitempty"` }
WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary credentials that can be used to make MinIO API requests.
type WebIdentityToken ¶
WebIdentityToken - web identity token with expiry.