#!/usr/bin/env python

# https://github.com/minio/minio/blob/master/docs/sts/assume-role.md
# https://docs.minio.io/docs/how-to-use-aws-sdk-for-python-with-minio-server
# https://docs.min.io/docs/minio-select-api-quickstart-guide.html

import argparse
import boto3
import json

parser = argparse.ArgumentParser(
    'create-token.py', description=(
        'STS token creator. Create read-only temporary access tokens for S3'))
parser.add_argument('--endpoint', help='S3 server endpoint', required=True)
parser.add_argument('--region', help='S3 region', default="")
parser.add_argument(
    '--accesskey', help='Access key ID for the STS admin user', required=True)
parser.add_argument(
    '--secretkey', help='Secret access key ID for STS admin user',
    required=True)
parser.add_argument('--bucket', help='S3 bucket', required=True)
parser.add_argument(
    '--prefix', default='*', help=(
        'Prefix inside bucket, for example * (default), '
        'prefix/*, prefix/file.name'))

args = parser.parse_args()

sts_admin = boto3.client(
    'sts',
    endpoint_url=args.endpoint,
    aws_access_key_id=args.accesskey,
    aws_secret_access_key=args.secretkey,
    region_name=args.region)

bucket_name = args.bucket
prefix = args.prefix

# Access policies
# https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html
# https://aws.amazon.com/premiumsupport/knowledge-center/s3-folder-user-access/
policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": ["arn:aws:s3:::{}".format(bucket_name)],
            "Condition": {
                "StringLike": { "s3:prefix": [prefix]}
            },
        },
        {
            "Sid": "GetObjectsInBucket",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": ["arn:aws:s3:::{}/{}".format(bucket_name, prefix)],
        },
    ],
}

# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts.html#STS.Client.assume_role
response = sts_admin.assume_role(
    RoleArn='arn:x:ignored:by:minio:',
    RoleSessionName='ignored-by-minio',
    # PolicyArns=[{'arn': 'string'}],
    Policy=json.dumps(policy),
    DurationSeconds=900,
)

boto3_client_args = dict(
    endpoint_url=args.endpoint,
    aws_access_key_id=response['Credentials']['AccessKeyId'],
    aws_secret_access_key=response['Credentials']['SecretAccessKey'],
    aws_session_token=response['Credentials']['SessionToken'],
    region_name=args.region,
)
# E.g. s3 = boto3.client('s3', **boto3_client_args)
print(json.dumps(boto3_client_args))