Comments (29)
@harshavardhana do You think that it is possible to implement this feature soon?
from mc.
Yeah it's minor stuff.
from mc.
cool! That's awesome. So in Your opinion, You will be able to implement it and if yes, what is the approximately date of the feature? It is very urgent for our daily basis.
Just for confirmation, I would like to setup MC_HOST_s3 based on IAM roles. Usually I should be able to retrieve the temporary ACCESS/SECRET/TOKEN values using AWS CLI but it is not available on minio image or mc.
from mc.
fixed in #4763
from mc.
@harshavardhana can You explain me how we can setup the MC_HOST_s3 now? Ho to retrieve the temp creds?
from mc.
@harshavardhana can You explain me how we can setup the MC_HOST_s3 now? Ho to retrieve the temp creds?
MC_HOST_s3=https://s3.amazonaws.com
MC_WEB_IDENTITY_TOKEN_FILE=
MC_ROLE_ARN=
Obtain web identity token file and role arn
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc
Just like how you would set
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_ROLE_ARN=arn:aws:iam::xxxxxxxxxxxx:role/s3-access
You should set the above values for mc.
from mc.
@harshavardhana I added MC_HOST_s3=https://s3.amazonaws.com and I have the envs AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_ROLE_ARN=arn:aws:iam::xxxxxxxxxxxx:role/s3-access
as well.
Looks it it trying to use them but I'm getting
mc: <ERROR> Failed to copy
http://opencti-minio:9000/opencti-bucket/import/Artifact/xxxxxxx`. Insufficient permissions to access this path `https://s3.amazonaws.com/xxxxx/opencti-bucket/import/Artifact/xxxxxxxx``
Do You have any idea if something is still missing or maybe the role is not taken properly? I can see in AWS console that the role is not used in my last hours.
from mc.
There is 403 error and Access Denied in debug mode to S3 bucket.
from mc.
Looks like the MC_HOST_s3 is not taking the temporary Access Key, Secret Key and Session Token into account
We have MC_HOST_s3=https://s3.amazonaws.com/
but should be https:/$ACCESS_KEY:$SECRET_KEY:$[email protected]
But how to retrieve these values?
from mc.
@harshavardhana I added MC_HOST_s3=https://s3.amazonaws.com and I have the envs AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_ROLE_ARN=arn:aws:iam::xxxxxxxxxxxx:role/s3-access
@robert-pudlowski-mox with mc you must MC_
envs not AWS_ - I had mentioned it clearly that that our values are equivalent of what AWS CLI provides.
MC_HOST_s3=https://s3.amazonaws.com
MC_WEB_IDENTITY_TOKEN_FILE=
MC_ROLE_ARN=
from mc.
@harshavardhana sure! I already checked it as well but nothing has changed.
My minio deployment definition:
ENVS:
- name: MC_HOST_s3
value: https://s3.ap-east-1.amazonaws.com - name: MC_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token - name: MC_ROLE_ARN
value: arn:aws:iam::xxx:role/xxx-role
But the issue is still the same
from mc.
I have the IAM role assigned to service account which is used by pod. So it should be fine. It works for ILM with the role and service account.
from mc.
@harshavardhana sure! I already checked it as well but nothing has changed.
My minio deployment definition:
ENVS:
- name: MC_HOST_s3
value: https://s3.ap-east-1.amazonaws.com- name: MC_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token- name: MC_ROLE_ARN
value: arn:aws:iam::xxx:role/xxx-roleBut the issue is still the same
When you are doing this can you mc ls --debug
and share the output?
from mc.
`mc ls --debug s3/xxxx-bucket
mc: HEAD / HTTP/1.1
Host: xxxx-bucket.s3.dualstack.ap-east-1.amazonaws.com
User-Agent: MinIO (linux; amd64) minio-go/v7.0.63 mc/RELEASE.2023-11-15T22-45-58Z
mc: HTTP/1.1 403 Forbidden
Connection: close
Content-Type: application/xml
Date: Fri, 17 Nov 2023 13:07:27 GMT
Server: AmazonS3
X-Amz-Bucket-Region: ap-east-1
X-Amz-Id-2: P/VItbk7pmEJeRpQXkysYdd6enKcApaptywzGAKWJLn2mm3zFrFQg652CNCIvo0047t+Vp9lqls=
X-Amz-Request-Id: ZKBVWFC696YS785Y
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Amazon
mc: >> Expires: 2024-03-03 23:59:59 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Amazon
mc: >> Expires: 2030-08-23 22:21:28 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Starfield Technologies, Inc.
mc: >> Expires: 2037-12-31 01:00:00 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Starfield Technologies, Inc.
mc: >> Expires: 2034-06-28 17:39:16 +0000 UTC
mc: Response Time: 29.588739ms
mc: HEAD / HTTP/1.1
Host: xxxx-bucket.s3.dualstack.ap-east-1.amazonaws.com
User-Agent: MinIO (linux; amd64) minio-go/v7.0.63 mc/RELEASE.2023-11-15T22-45-58Z
mc: HTTP/1.1 403 Forbidden
Connection: close
Content-Type: application/xml
Date: Fri, 17 Nov 2023 13:07:27 GMT
Server: AmazonS3
X-Amz-Bucket-Region: ap-east-1
X-Amz-Id-2: gtwD1VlExVFnhd9pxeHKeWXhSf6EI7Qa46lr4xLPoJJN/VbKIe1L1VJkQDZr5OAyY9IWmxcY62U=
X-Amz-Request-Id: ZKBXK9CRAGV9R0NG
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Amazon
mc: >> Expires: 2024-03-03 23:59:59 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Amazon
mc: >> Expires: 2030-08-23 22:21:28 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Starfield Technologies, Inc.
mc: >> Expires: 2037-12-31 01:00:00 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Starfield Technologies, Inc.
mc: >> Expires: 2034-06-28 17:39:16 +0000 UTC
mc: Response Time: 4.413231ms
mc: Unable to list folder. Access Denied.
(2) ls.go:239 cmd.doList(..) Tags: [https://s3.ap-east-1.amazonaws.com/xxxx-bucket]
(1) client-s3.go:2364 cmd.(*S3Client).listInRoutine(..) Tags: [xxxx-bucket]
(0) client-s3.go:2330 cmd.(*S3Client).bucketStat(..)
Release-Tag:RELEASE.2023-11-15T22-45-58Z | Commit:4724c024c6de | Host:opencti-minio-8bd97bd7c-5lk65 | OS:linux | Arch:amd64 | Lang:go1.21.4 | Mem:3.0 MiB/15 MiB | Heap:3.0 MiB/7.4 MiB`
from mc.
from mc.
And what are the environment variables set before using mc ?
from mc.
@harshavardhana what do You mean?
All the envs which I adding to the deployment:
env:
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
key: MINIO_ACCESS_KEY
name: opencti
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
key: MINIO_SECRET_KEY
name: opencti
- name: S3_BUCKET_NAME
valueFrom:
secretKeyRef:
key: S3_BUCKET_NAME
name: opencti
- name: MC_HOST_s3
value: https://s3.ap-east-1.amazonaws.com
- name: MC_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
- name: MC_ROLE_ARN
value: arn:aws:iam::xx:role/xxxx-role
Nothing more :) There are of course some default environments which comes from EKS. Any idea how to deal with the STS for S3?
from mc.
And what is the version of mc - can you provide mc --version
output?
from mc.
I use the minio image: minio/minio:RELEASE.2023-11-15T20-43-25Z
from mc.
I use the minio image: minio/minio:RELEASE.2023-11-15T20-43-25Z
Have you used latest mc? https://github.com/minio/mc/releases/tag/RELEASE.2023-11-15T22-45-58Z
The mc inside MinIO container is not the latest
from mc.
ah I see your problem you have not set the MC_STS_ENDPOINT
@robert-pudlowski-mox
from mc.
In your ENV this must be set to perhaps https://sts.ap-east-1.amazonaws.com
from mc.
@harshavardhana thanks man! it works. One more question. After adding the env MC_STS_ENDPOINT=https://sts.ap-east-1.amazonaws.com, now I can not add alias for local minio deployment which was working before:
mc alias set myminio http://opencti-minio:9000 $MINIO_ACCESS_KEY $MINIO_SECRET_KEY
mc: Configuration written to /tmp/.mc/config.json
. Please update your access credentials.
mc: Successfully created /tmp/.mc/share
.
mc: Initialized share uploads /tmp/.mc/share/uploads.json
file.
mc: Initialized share downloads /tmp/.mc/share/downloads.json
file.
mc: Unable to initialize new alias from the provided credentials. The Access Key Id you provided does not exist in our records.
Any idea how to make the S3 alias and minio local working?
from mc.
@robert-pudlowski-mox right now that is not possible - I have to think about adding that support.
from mc.
@harshavardhana so how can I copy files from local minio to S3 bucket if I'm not able to connect in the same time to local minio and S3 bucket? :D
Now I can just send something to S3 bucket or I can only connect to local minio but not both.
from mc.
@harshavardhana and one more question, if I have the configuration setup for S3 bucket (MC_HOST_s3, MC_STS_ENDPOINT etc..) does the ilm which is already in place and setup for local minio and ilm with S3 tier will work? Or it will stop working?
from mc.
@harshavardhana so how can I copy files from local minio to S3 bucket if I'm not able to connect in the same time to local minio and S3 bucket? :D
Now I can just send something to S3 bucket or I can only connect to local minio but not both.
Correct this is something that needs to be fixed.
from mc.
@harshavardhana and one more question, if I have the configuration setup for S3 bucket (MC_HOST_s3, MC_STS_ENDPOINT etc..) does the ilm which is already in place and setup for local minio and ilm with S3 tier will work? Or it will stop working?
mc changes won't affect ILM which is server side config.
from mc.
This is fully fixed here #4771
from mc.
Related Issues (20)
- unable to delete file in gcs HOT 1
- mc mirror --watch 执行以后报错 HOT 6
- panic: runtime error: integer divide by zero HOT 2
- panic: unexpected size HOT 3
- mc find --metadata not working HOT 1
- MinIO Client (mc) Version 2023-11-20: No Output When Running `mc version` HOT 6
- mc tree displays irritating bevaviour HOT 3
- cant install from source with go install - unrecognized import path "aead.dev/minisign" HOT 3
- Connection timeout after 10 min HOT 2
- mc is way too verbose on operations on very large number of files (cp, mv, rm) HOT 2
- What is the principle of mc mirror monitoring local file changes? HOT 2
- mc mirror abs path problem HOT 1
- This is a test issue
- `mc pipe -q` displays progress bar
- Missing commands to manage tokens for Prometheus metrics collection
- .deb installer installs client as `mcli` instead of `mc` HOT 3
- Ignore host name for signature HOT 7
- #4836 follow-up: is there a way to add additional host names in SERVER_URL env in minio server? HOT 2
- mc mirror exclude option for folders not working HOT 1
- can't upload `.zip` file in minio
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mc.