minio-js icon indicating copy to clipboard operation
minio-js copied to clipboard

Published 20 hours ago verified publisher icon minio

How to use WebIdentityToken

Open ryansteakley opened this issue 3 years ago • 8 comments

Previous issue was closed, The examples given don't seem to give much explanation or insight in what needs to be done. I already know how to use minio-go and the webIdentityToken/IRSA setup there. Asking for clarification on the minio-js side.
From examples since none seem to use webIdentityToken it is not clear what needs to be done here? Do I need to pass the webIdentityToken and the roleARN i and roleSessionName into

let asRoleProvider = new AssumeRoleProvider({
    stsEndpoint: "sts.amazonaws.com",
    accessKey: 'miniojs',
    secretKey: 'miniojs123',
    webIdentityToken: '/var/secret/etc/',
    roleARN: "arn:aws:....",
    roleSessionName: "fakeName"
})

For it work or will these be picked up automatically when using this AssumeRoleProvider if they are env variables similar to the way that minio-go does it https://github.com/minio/minio-go/blob/fe4dc656657288125addc6b3be2f629376881075/pkg/credentials/iam_aws.go#L92? In the pr which added this functionality I don't see any similar code that does the work to obtain these values for us that minio-go does automatically so are we as a user supposed to get these ourselves then pass them in to the constructor?

Originally posted by @ryansteakley in https://github.com/minio/minio-js/issues/1077#issuecomment-1312617914

ryansteakley avatar Nov 13 '22 02:11 ryansteakley

You need to obtain and pass it. It would not be picked up if specified as file. (There is no way to tell if token needs to be read from file. ).

Please provide details/trace on what was tried and error if any for further debugging which would help us better understand the issue. Appreciate your efforts to try these APIs and provide feedback. Thank you for the support

prakashsvmx avatar Nov 13 '22 03:11 prakashsvmx

Thanks for the response, that gives me a path forward, will come back with any issues encountered.

Currently tried just passing as the example showed

let asRoleProvider = new AssumeRoleProvider({
    stsEndpoint: "sts.amazonaws.com",
    accessKey: 'miniojs',
    secretKey: 'miniojs123',
    webIdentityToken: "abcdef",
    roleARN: "12345"
})

no matter what I provide to this AssumeRoleProvider I get,

(node:6818) UnhandledPromiseRejectionWarning: Error: Unable to get  credentials. Expected instance of BaseCredentialsProvider
    at Client.fetchCredentials (/Users/ryanstea/minio-js/node_modules/minio/dist/main/minio.js:3762:15)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Client.checkAndRefreshCreds (/Users/ryanstea/minio-js/node_modules/minio/dist/main/minio.js:3749:14)

@prakashsvmx have you successfully used webIdentityToken and the roleARN to create a minio-client using the assumeRole?

ryansteakley avatar Nov 13 '22 04:11 ryansteakley

Would appreciate an example of this setup and the code to at least bare minimum create the minio-client, currently with the lack of documentation and expertise I am going through trial and error. Since you closed https://github.com/minio/minio-js/issues/841 with #960, I assume internally it was verified that this functionality works? I would expect parity with the minio-go where it will have a provider-chain and eventually run code such as https://github.com/minio/minio-go/blob/39267760ed9bb78c88d17be63fcafcefb767a366/pkg/credentials/iam_aws.go#L92 to fetch all the required information. Or parity with the aws-js-sdk

// Import required AWS SDK clients and commands for Node.js
const { S3Client, PutObjectCommand, CreateBucketCommand } = require("@aws-sdk/client-s3");
const { getDefaultRoleAssumerWithWebIdentity } = require("@aws-sdk/client-sts");
const { fromTokenFile } = require("@aws-sdk/credential-provider-web-identity");

// Set the AWS region
const REGION = "us-east-1"; // e.g., "us-east-1"

// Set the bucket parameters
const bucketName = "my-bucket";
const bucketParams = { Bucket: bucketName };

// Create name for uploaded object key
const keyName = "hello_world.txt";
const objectParams = { Bucket: bucketName, Key: keyName, Body: "Hello World!" };

// Create an S3 client service object
const s3 = new S3Client({
  region: REGION,
  credentials: fromTokenFile({
    roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity()
  })
});

In both cases it is not expected that the user themselves will write code to access the webIdentityToken file and get the value. Am I missing something feel free to inform proper usecase?

ryansteakley avatar Nov 14 '22 06:11 ryansteakley

We request more information are you using minio server? how have you have configured Assume Role? how was the token obtained ?

As mentioned earlier, the example initialization can be like:

let asRoleProvider = new AssumeRoleProvider({
    stsEndpoint:"http://127.0.0.1:9000",
    accessKey: 'miniojs',
    secretKey: 'miniojs123'

  })
    const asRoleClient= new Minio.Client({
        endPoint: 'localhost',
        port: 9000,
        useSSL: false,
        accessKey: 'miniojs',
        secretKey: 'miniojs123',
        credentialsProvider:asRoleProvider
    })

Feel free to share any information that would be helpful for us to debug further

AWS_WEB_IDENTITY_TOKEN_FILE is not supported in minio-js

i have followed the following links while implementing.\

https://github.com/minio/minio/blob/master/docs/sts/assume-role.md#testing-an-example-with-awscli-tool
https://github.com/minio/minio/blob/master/docs/sts/assume-role.md#testing-an-example-with-assume-rolego

prakashsvmx avatar Nov 14 '22 06:11 prakashsvmx

The use-case is I have an eks-cluster with a pod that has AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token mounted along with the AWS_ROLE_ARN: arn:aws:iam::111122223333:role/my-role. I want to be able to use these two pieces of information to authenticate and create a minioClient to communicate with s3 using minio-js. This is possible using minio-go at the moment. I see you said that AWS_WEB_IDENTITY_TOKEN_FILE is not supported in minio-js. So if I the user write additional js code to extract the token from said AWS_WEB_IDENTITY_TOKEN_FILE it should be fine? Then I will go along and pass the rest of the information needed RoleArn etc..

ryansteakley avatar Nov 14 '22 07:11 ryansteakley

I have not personally tried this approach. yes, you could try and send a pr to support AWS_WEB_IDENTITY_TOKEN_FILE

if you are using AWS, you could also use aws-sdk.

prakashsvmx avatar Nov 14 '22 07:11 prakashsvmx

@prakashsvmx I've tried doing

let asRoleProvider = new AssumeRoleProvider({
    stsEndpoint:"sts.amazonaws.com",
    webIdentityToken: "abcdef:
    roleARN: "abcdef"

  })
    const asRoleClient= new Minio.Client({
        endPoint: 's3.amazonaws.com',
        credentialsProvider:asRoleProvider
    })

and I'm facing issue of

(node:6818) UnhandledPromiseRejectionWarning: Error: Unable to get  credentials. Expected instance of BaseCredentialsProvider
    at Client.fetchCredentials (/Users/ryanstea/minio-js/node_modules/minio/dist/main/minio.js:3762:15)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Client.checkAndRefreshCreds (/Users/ryanstea/minio-js/node_modules/minio/dist/main/minio.js:3749:14)

any guidance?

ryansteakley avatar Nov 16 '22 19:11 ryansteakley