# MinIO Security Token Service (STS) This is an example of setting up a Minio server with the [Security Token Service (STS)](https://github.com/minio/minio/blob/RELEASE.2020-04-04T05-39-31Z/docs/sts/README.md) and [AssumeRole](https://github.com/minio/minio/blob/RELEASE.2020-04-04T05-39-31Z/docs/sts/assume-role.md) for temporary session tokens. You must [create a new Minio user](https://docs.min.io/docs/minio-multi-user-quickstart-guide.html) to use STS, the default Minio access/secret won't work. The new user must have access to the objects you will be creating sessions for, the permissions of the created session are the intersection of the permissions of the STS user and the inline permissions requested when the session is created Tested on `2020-04-06` with the current version of Minio. This is probably `RELEASE.2020-04-04T05-39-31Z`, though if using Homebrew on Mac OSX `minio --version` outputs `DEVELOPMENT.GOGET` so who knows. ## Example: start the Minio server and configure the client This will serve your home directory: export MINIO_ACCESS_KEY=minio export MINIO_SECRET_KEY=minio123 minio server ~/ Create a `mc` client config called `local`: mc config host add local http://localhost:9000 minio minio123 ## Example: create a user `stsadmin` with full read-only access to all buckets and objects mc admin user add local stsadmin stsadmin-secret mc admin policy add local readall s3-policy-readall.json mc admin policy set local readall user=stsadmin ## Example: create a token Run [`create-token.py`](create-token.py) to create a session token valid for 15 minutes for a bucket and optional prefix. The token along with connection credentials will be printed to stdout. This example will give access to keys matching the prefix `media/*` in bucket `tmp`: TOKEN=$(./create-token.py --endpoint http://localhost:9000 --accesskey stsadmin --secretkey stsadmin-secret --bucket tmp --prefix 'media/*') echo "$TOKEN" ## Example: test the token Test the token by using [`list-or-get-object.py`](list-or-get-object.py). This script reads the connection credentials output by the previous script on stdin. List objects (trailing `/`): $ echo "$TOKEN" | ./list-or-get-object.py tmp/media/ Listing tmp/media/ - ETag: '"00000000000000000000000000000000-1"' Key: media/hello.txt LastModified: 2020-04-06 18:29:55.394000+00:00 Owner: DisplayName: '' ID: 02d6176db174dc93cb1b899f7c6078f08654445fe8cf1b6ce98d8855f66bdbf4 Size: 6 StorageClass: STANDARD Get an object (no trailing `/`): $ echo "$TOKEN" | ./list-or-get-object.py tmp/media/hello.txt Getting tmp/media/hello.txt b'hello\n' List a disallowed path: $ echo "$TOKEN" | ./list-or-get-object.py tmp/other/ Listing tmp/other/ Traceback (most recent call last): ... botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied. Expired token: $ echo "$TOKEN" | ./list-or-get-object.py tmp/media/ Listing tmp/media/ Traceback (most recent call last): ... botocore.exceptions.ClientError: An error occurred (InvalidAccessKeyId) when calling the ListObjects operation: The access key ID you provided does not exist in our records.