Victor Fauth

Hi, Could somebody review this PR please? This bug is quite annoying.

We are also really interested in this, it is blocking in order to use Zalando's operator in a managed and shared cluster.

Good news! For your question, I would say: - 404, to give no information about the key existence - 404, to give no information about the key existence - 200,...

I was able to reproduce this issue on up-to-date MinIO version 2024-09-13T20-26-02Z.

> Are you saying we should ignore the `exp` on the token? > > What is the purpose of the 5m `exp`, if we just ignore it? > > I...

I created a token valid for 1 hour at ~6pm Paris time, so 4pm UTC. I made the STS call immediately after that, requesting a 14400 seconds token (4 hours)....

Here you go: ``` > mc admin trace -a --funcname sts* --verbose atlas-victor/ s3-1.s3-svc.dc2-wd1-gdp-victor-kns-gdp.svc.cluster.local:9000 [REQUEST sts.AssumeRoleWithWebIdentity] [2024-09-27T17:24:04.410] [Client IP: ] s3-1.s3-svc.dc2-wd1-gdp-victor-kns-gdp.svc.cluster.local:9000 POST /?Action=AssumeRoleWithWebIdentity&WebIdentityToken=&Version=2011-06-15&DurationSeconds=14400 s3-1.s3-svc.dc2-wd1-gdp-victor-kns-gdp.svc.cluster.local:9000 Proto: HTTP/1.1 s3-1.s3-svc.dc2-wd1-gdp-victor-kns-gdp.svc.cluster.local:9000 Host: s3-1.s3-svc.dc2-wd1-gdp-victor-kns-gdp.svc.cluster.local:9000 X-Forwarded-Port:...

@harshavardhana Were you able to reproduce this issue?

I tracked the issue to this line: https://github.com/minio/pkg/blob/d2607b2fe2bdae143ffc6c69703a74115e92140d/policy/statement.go#L52 When the resource is `mybucket` and no object is specified, a `/` is appended. As `arn:aws:s3:::mybucket/*` matches `arn:aws:s3:::mybucket/`, which is the expected...

I don't really know how to fix these other issues, there are too many implications and it seems like it requires more extensive changes. I will probably not be able...