minioclient icon indicating copy to clipboard operation
minioclient copied to clipboard

Published 20 hours ago verified publisher icon cboettig

Handling of S3 session tokens

Open fBedecarrats opened this issue 1 year ago • 5 comments

Hi @cboettig, thanks for this promising package! One question: what would be the right way to handle session tokens with it. I'm using a minio S3 services that requires providing such tokens (set with Sys.setenv("AWS_SESSION_TOKEN" = "mytoken") for {paws} or {aws.s3}). Is there a way to set up such tokens with {minioclient}? I could not find the information in the package documentation and my attempts were not successful.

fBedecarrats avatar Jul 02 '23 05:07 fBedecarrats

Thanks for filing the issue. Apparently the underlying client tool doesn't have a mechanism for temporary session tokens at this time, though the data model supports it so users have successfully passed such tokens by just manually editing the config file, see https://github.com/minio/mc/issues/2444 .

If that technique works for you, we could probably add a little helper utility function that would just copy a session token into the config file as described there?

cboettig avatar Jul 02 '23 23:07 cboettig

Thank you! I am travelling with very limited access to internet until July 12nd. I'll study that as soon as possible. Thanks again!

fBedecarrats avatar Jul 03 '23 10:07 fBedecarrats

so apparently you can set temporary aliases using environmental variables now instead like so:

export MC_HOST_<alias>=https://<Access Key>:<Secret Key>:<Session Token>@<YOUR-S3-ENDPOINT>

or in R, something like:

library(glue)

alias <- "aws" # 
AccessKey <- "xxx"
SecretKey <- "yyy"
SessionToken <- "zzz"
endpoint <- "https://s3.amazonaws.com"

Sys.setenv( glue("MC_HOST_{alias}" = glue("https://{AccessKey}:{SecretKey}:{SessionToken}@{endpoint}") )

The mc client should now understand the alias, e.g.

library(minioclient)
mc_ls("aws/my-bucket")

cboettig avatar Jul 19 '23 05:07 cboettig

I've put another solution in #3, which modifies the config; the other approach mentioned in the thread above, i.e.

to add a sessionToken to the alias, one would do:

mc_config_set(alias = "play", key="sessionToken", value="MyTmpSessionToken")

Given that session tokens usually expire after short intervals, I'm not sure if this is more ergonomic or worse than setting the env var above.

(as you can see, mc_config_set is a thin wrapper around editing the JSON config file -- if session tokens are a common issue, I wonder if it would be more obvious how to deal with them if we inject this into the mc_alias_set() function such that it gains an argument for session_token? However, that would entail providing the access+secret key again as well, while monkey-patching the config with mc_config_set() requires only the new sessionToken).

cboettig avatar Jul 19 '23 05:07 cboettig

I've put another solution in #3, which modifies the config; the other approach mentioned in the thread above, i.e.

to add a sessionToken to the alias, one would do:

mc_config_set(alias = "play", key="sessionToken", value="MyTmpSessionToken")

Given that session tokens usually expire after short intervals, I'm not sure if this is more ergonomic or worse than setting the env var above.

(as you can see, mc_config_set is a thin wrapper around editing the JSON config file -- if session tokens are a common issue, I wonder if it would be more obvious how to deal with them if we inject this into the mc_alias_set() function such that it gains an argument for session_token? However, that would entail providing the access+secret key again as well, while monkey-patching the config with mc_config_set() requires only the new sessionToken).

This solution would be fine, but mc_alias_set does not work if session_token is not defined in the first place, so you have to do that for all keys (accessKey, secretKey, url...)

Anyway the MC_HOST_<alias> solution described above works fine.

jdlom avatar Nov 25 '23 16:11 jdlom