New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add role ARN support for OIDC identity provider #13651
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This requires minio/minio-go#1582 and minio/pkg#16 |
donatello
force-pushed
the
role-policy
branch
from
November 13, 2021 00:51
79c37b0
to
550ed3b
Compare
donatello
force-pushed
the
role-policy
branch
3 times, most recently
from
November 13, 2021 00:56
3112ee4
to
eba15ac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are you not planning to add multiple open_id connectors?
Yes, I'm planning to add it subsequently. |
donatello
force-pushed
the
role-policy
branch
7 times, most recently
from
November 16, 2021 00:22
0201f3b
to
edd3ce9
Compare
harshavardhana
requested changes
Nov 16, 2021
donatello
force-pushed
the
role-policy
branch
2 times, most recently
from
November 16, 2021 07:57
ce2fb3b
to
e3fbf7b
Compare
donatello
force-pushed
the
role-policy
branch
from
November 16, 2021 19:56
e3fbf7b
to
c2b01f2
Compare
donatello
force-pushed
the
role-policy
branch
6 times, most recently
from
November 19, 2021 07:49
57f08ff
to
d5ad1d4
Compare
Fixed conflicts PTAL reviewers @harshavardhana @vadmeste @krisis @Alevsk |
harshavardhana
previously requested changes
Nov 19, 2021
donatello
force-pushed
the
role-policy
branch
3 times, most recently
from
November 24, 2021 19:19
1af32b3
to
1dc6384
Compare
- Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
donatello
force-pushed
the
role-policy
branch
from
November 24, 2021 19:34
1dc6384
to
293f9d4
Compare
harshavardhana
approved these changes
Nov 25, 2021
harshavardhana
requested changes
Nov 25, 2021
harshavardhana
approved these changes
Nov 25, 2021
Mint Automation
|
This was referenced Nov 27, 2021
rbuchnajzer
pushed a commit
to rbuchnajzer/minio
that referenced
this pull request
Dec 7, 2021
- Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Allows setting a role policy parameter when configuring OIDC provider
When role policy is set, server prints a role ARN usable in STS API requests
The given role policy is applied to STS API requests when the roleARN
parameter is provided.
Service accounts for role policy are also possible and work as expected.
Role Policy takes precedence when set. When the role policy is set the policy claims from the ID provider are ignored.
Motivation and Context
Add support for roles in STSWebIdentity. This will allow configuring access policies for users authenticated from OpenID without having to setup claims in the identity provider to return access policies via the id token (JWT).
How to test this PR?
Specify role ARN printed out by the server in the AssumeRoleWithIdentity STS API.
Types of changes
Checklist:
commit-id
orPR #
here)