Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use WebIdentityToken #1078

Open
ryansteakley opened this issue Nov 13, 2022 · 7 comments
Open

How to use WebIdentityToken #1078

ryansteakley opened this issue Nov 13, 2022 · 7 comments

Comments

@ryansteakley
Copy link

ryansteakley commented Nov 13, 2022
edited

Previous issue was closed, The examples given don't seem to give much explanation or insight in what needs to be done. I already know how to use minio-go and the webIdentityToken/IRSA setup there. Asking for clarification on the minio-js side.
From examples since none seem to use webIdentityToken it is not clear what needs to be done here?
Do I need to pass the webIdentityToken and the roleARN i and roleSessionName into

let asRoleProvider = new AssumeRoleProvider({
    stsEndpoint: "sts.amazonaws.com",
    accessKey: 'miniojs',
    secretKey: 'miniojs123',
    webIdentityToken: '/var/secret/etc/',
    roleARN: "arn:aws:....",
    roleSessionName: "fakeName"
})

For it work or will these be picked up automatically when using this AssumeRoleProvider if they are env variables similar to the way that minio-go does it https://github.com/minio/minio-go/blob/fe4dc656657288125addc6b3be2f629376881075/pkg/credentials/iam_aws.go#L92? In the pr which added this functionality I don't see any similar code that does the work to obtain these values for us that minio-go does automatically so are we as a user supposed to get these ourselves then pass them in to the constructor?

Originally posted by @ryansteakley in #1077 (comment)
@ryansteakley ryansteakley changed the title WebIdentityToken How to use WebIdentityToken Nov 13, 2022
@prakashsvmx
Copy link
Member

You need to obtain and pass it. It would not be picked up if specified as file. (There is no way to tell if token needs to be read from file. ).

Please provide details/trace on what was tried and error if any for further debugging which would help us better understand the issue. Appreciate your efforts to try these APIs and provide feedback. Thank you for the support

@ryansteakley
Copy link
Author

ryansteakley commented Nov 13, 2022
edited

Thanks for the response, that gives me a path forward, will come back with any issues encountered.

Currently tried just passing as the example showed

let asRoleProvider = new AssumeRoleProvider({
    stsEndpoint: "sts.amazonaws.com",
    accessKey: 'miniojs',
    secretKey: 'miniojs123',
    webIdentityToken: "abcdef",
    roleARN: "12345"
})

no matter what I provide to this AssumeRoleProvider I get,

(node:6818) UnhandledPromiseRejectionWarning: Error: Unable to get  credentials. Expected instance of BaseCredentialsProvider
    at Client.fetchCredentials (/Users/ryanstea/minio-js/node_modules/minio/dist/main/minio.js:3762:15)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Client.checkAndRefreshCreds (/Users/ryanstea/minio-js/node_modules/minio/dist/main/minio.js:3749:14)

@prakashsvmx have you successfully used webIdentityToken and the roleARN to create a minio-client using the assumeRole?

@ryansteakley
Copy link
Author

ryansteakley commented Nov 14, 2022
edited

Would appreciate an example of this setup and the code to at least bare minimum create the minio-client, currently with the lack of documentation and expertise I am going through trial and error. Since you closed #841 with #960, I assume internally it was verified that this functionality works? I would expect parity with the minio-go where it will have a provider-chain and eventually run code such as https://github.com/minio/minio-go/blob/39267760ed9bb78c88d17be63fcafcefb767a366/pkg/credentials/iam_aws.go#L92 to fetch all the required information. Or parity with the aws-js-sdk

// Import required AWS SDK clients and commands for Node.js
const { S3Client, PutObjectCommand, CreateBucketCommand } = require("@aws-sdk/client-s3");
const { getDefaultRoleAssumerWithWebIdentity } = require("@aws-sdk/client-sts");
const { fromTokenFile } = require("@aws-sdk/credential-provider-web-identity");

// Set the AWS region
const REGION = "us-east-1"; // e.g., "us-east-1"

// Set the bucket parameters
const bucketName = "my-bucket";
const bucketParams = { Bucket: bucketName };

// Create name for uploaded object key
const keyName = "hello_world.txt";
const objectParams = { Bucket: bucketName, Key: keyName, Body: "Hello World!" };

// Create an S3 client service object
const s3 = new S3Client({
  region: REGION,
  credentials: fromTokenFile({
    roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity()
  })
});

In both cases it is not expected that the user themselves will write code to access the webIdentityToken file and get the value. Am I missing something feel free to inform proper usecase?

@prakashsvmx
Copy link
Member

We request more information
are you using minio server?
how have you have configured Assume Role?
how was the token obtained ?

As mentioned earlier, the example initialization can be like:

let asRoleProvider = new AssumeRoleProvider({
    stsEndpoint:"http://127.0.0.1:9000",
    accessKey: 'miniojs',
    secretKey: 'miniojs123'

  })
    const asRoleClient= new Minio.Client({
        endPoint: 'localhost',
        port: 9000,
        useSSL: false,
        accessKey: 'miniojs',
        secretKey: 'miniojs123',
        credentialsProvider:asRoleProvider
    })

Feel free to share any information that would be helpful for us to debug further

AWS_WEB_IDENTITY_TOKEN_FILE is not supported in minio-js

i have followed the following links while implementing.\

https://github.com/minio/minio/blob/master/docs/sts/assume-role.md#testing-an-example-with-awscli-tool
https://github.com/minio/minio/blob/master/docs/sts/assume-role.md#testing-an-example-with-assume-rolego

@ryansteakley
Copy link
Author

The use-case is I have an eks-cluster with a pod that has AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token mounted along with the AWS_ROLE_ARN: arn:aws:iam::111122223333:role/my-role. I want to be able to use these two pieces of information to authenticate and create a minioClient to communicate with s3 using minio-js. This is possible using minio-go at the moment. I see you said that AWS_WEB_IDENTITY_TOKEN_FILE is not supported in minio-js. So if I the user write additional js code to extract the token from said AWS_WEB_IDENTITY_TOKEN_FILE it should be fine? Then I will go along and pass the rest of the information needed RoleArn etc..

@prakashsvmx
Copy link
Member

I have not personally tried this approach. yes, you could try and send a pr to support AWS_WEB_IDENTITY_TOKEN_FILE

if you are using AWS, you could also use aws-sdk.

@ryansteakley
Copy link
Author

@prakashsvmx I've tried doing

let asRoleProvider = new AssumeRoleProvider({
    stsEndpoint:"sts.amazonaws.com",
    webIdentityToken: "abcdef:
    roleARN: "abcdef"

  })
    const asRoleClient= new Minio.Client({
        endPoint: 's3.amazonaws.com',
        credentialsProvider:asRoleProvider
    })

and I'm facing issue of

(node:6818) UnhandledPromiseRejectionWarning: Error: Unable to get  credentials. Expected instance of BaseCredentialsProvider
    at Client.fetchCredentials (/Users/ryanstea/minio-js/node_modules/minio/dist/main/minio.js:3762:15)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Client.checkAndRefreshCreds (/Users/ryanstea/minio-js/node_modules/minio/dist/main/minio.js:3749:14)

any guidance?

@trim21 trim21 mentioned this issue May 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prakashsvmx @ryansteakley