Support sts and static credentials to work together about mc HOT 29 CLOSED

@harshavardhana do You think that it is possible to implement this feature soon?

from mc.

Yeah it's minor stuff.

from mc.

cool! That's awesome. So in Your opinion, You will be able to implement it and if yes, what is the approximately date of the feature? It is very urgent for our daily basis.

Just for confirmation, I would like to setup MC_HOST_s3 based on IAM roles. Usually I should be able to retrieve the temporary ACCESS/SECRET/TOKEN values using AWS CLI but it is not available on minio image or mc.

from mc.

fixed in #4763

from mc.

@harshavardhana can You explain me how we can setup the MC_HOST_s3 now? Ho to retrieve the temp creds?

from mc.

@harshavardhana can You explain me how we can setup the MC_HOST_s3 now? Ho to retrieve the temp creds?

MC_HOST_s3=https://s3.amazonaws.com
MC_WEB_IDENTITY_TOKEN_FILE=
MC_ROLE_ARN=

Obtain web identity token file and role arn

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc

Just like how you would set

AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_ROLE_ARN=arn:aws:iam::xxxxxxxxxxxx:role/s3-access

You should set the above values for mc.

from mc.

@harshavardhana I added MC_HOST_s3=https://s3.amazonaws.com and I have the envs AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_ROLE_ARN=arn:aws:iam::xxxxxxxxxxxx:role/s3-access

as well.

Looks it it trying to use them but I'm getting
mc: <ERROR> Failed to copy http://opencti-minio:9000/opencti-bucket/import/Artifact/xxxxxxx`. Insufficient permissions to access this path `https://s3.amazonaws.com/xxxxx/opencti-bucket/import/Artifact/xxxxxxxx``

Do You have any idea if something is still missing or maybe the role is not taken properly? I can see in AWS console that the role is not used in my last hours.

from mc.

There is 403 error and Access Denied in debug mode to S3 bucket.

from mc.

Looks like the MC_HOST_s3 is not taking the temporary Access Key, Secret Key and Session Token into account

We have MC_HOST_s3=https://s3.amazonaws.com/
but should be https:/$ACCESS_KEY:$SECRET_KEY:$[email protected]

But how to retrieve these values?

from mc.

@harshavardhana I added MC_HOST_s3=https://s3.amazonaws.com and I have the envs AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
AWS_ROLE_ARN=arn:aws:iam::xxxxxxxxxxxx:role/s3-access

@robert-pudlowski-mox with mc you must MC_ envs not AWS_ - I had mentioned it clearly that that our values are equivalent of what AWS CLI provides.

MC_HOST_s3=https://s3.amazonaws.com
MC_WEB_IDENTITY_TOKEN_FILE=
MC_ROLE_ARN=

from mc.

@harshavardhana sure! I already checked it as well but nothing has changed.

My minio deployment definition:

ENVS:

• name: MC_HOST_s3
  value: https://s3.ap-east-1.amazonaws.com
• name: MC_WEB_IDENTITY_TOKEN_FILE
  value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
• name: MC_ROLE_ARN
  value: arn:aws:iam::xxx:role/xxx-role

But the issue is still the same

from mc.

I have the IAM role assigned to service account which is used by pod. So it should be fine. It works for ILM with the role and service account.

from mc.

@harshavardhana sure! I already checked it as well but nothing has changed.

My minio deployment definition:

ENVS:

• name: MC_HOST_s3
  value: https://s3.ap-east-1.amazonaws.com
• name: MC_WEB_IDENTITY_TOKEN_FILE
  value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
• name: MC_ROLE_ARN
  value: arn:aws:iam::xxx:role/xxx-role

But the issue is still the same

When you are doing this can you mc ls --debug and share the output?

from mc.

@harshavardhana

`mc ls --debug s3/xxxx-bucket
mc: HEAD / HTTP/1.1
Host: xxxx-bucket.s3.dualstack.ap-east-1.amazonaws.com
User-Agent: MinIO (linux; amd64) minio-go/v7.0.63 mc/RELEASE.2023-11-15T22-45-58Z

mc: HTTP/1.1 403 Forbidden
Connection: close
Content-Type: application/xml
Date: Fri, 17 Nov 2023 13:07:27 GMT
Server: AmazonS3
X-Amz-Bucket-Region: ap-east-1
X-Amz-Id-2: P/VItbk7pmEJeRpQXkysYdd6enKcApaptywzGAKWJLn2mm3zFrFQg652CNCIvo0047t+Vp9lqls=
X-Amz-Request-Id: ZKBVWFC696YS785Y

mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Amazon
mc: >> Expires: 2024-03-03 23:59:59 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Amazon
mc: >> Expires: 2030-08-23 22:21:28 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Starfield Technologies, Inc.
mc: >> Expires: 2037-12-31 01:00:00 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Starfield Technologies, Inc.
mc: >> Expires: 2034-06-28 17:39:16 +0000 UTC
mc: Response Time: 29.588739ms

mc: HEAD / HTTP/1.1
Host: xxxx-bucket.s3.dualstack.ap-east-1.amazonaws.com
User-Agent: MinIO (linux; amd64) minio-go/v7.0.63 mc/RELEASE.2023-11-15T22-45-58Z

mc: HTTP/1.1 403 Forbidden
Connection: close
Content-Type: application/xml
Date: Fri, 17 Nov 2023 13:07:27 GMT
Server: AmazonS3
X-Amz-Bucket-Region: ap-east-1
X-Amz-Id-2: gtwD1VlExVFnhd9pxeHKeWXhSf6EI7Qa46lr4xLPoJJN/VbKIe1L1VJkQDZr5OAyY9IWmxcY62U=
X-Amz-Request-Id: ZKBXK9CRAGV9R0NG

mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Amazon
mc: >> Expires: 2024-03-03 23:59:59 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Amazon
mc: >> Expires: 2030-08-23 22:21:28 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Starfield Technologies, Inc.
mc: >> Expires: 2037-12-31 01:00:00 +0000 UTC
mc: TLS Certificate found:
mc: >> Country: US
mc: >> Organization: Starfield Technologies, Inc.
mc: >> Expires: 2034-06-28 17:39:16 +0000 UTC
mc: Response Time: 4.413231ms

mc: Unable to list folder. Access Denied.
(2) ls.go:239 cmd.doList(..) Tags: [https://s3.ap-east-1.amazonaws.com/xxxx-bucket]
(1) client-s3.go:2364 cmd.(*S3Client).listInRoutine(..) Tags: [xxxx-bucket]
(0) client-s3.go:2330 cmd.(*S3Client).bucketStat(..)
Release-Tag:RELEASE.2023-11-15T22-45-58Z | Commit:4724c024c6de | Host:opencti-minio-8bd97bd7c-5lk65 | OS:linux | Arch:amd64 | Lang:go1.21.4 | Mem:3.0 MiB/15 MiB | Heap:3.0 MiB/7.4 MiB`

from mc.

@harshavardhana ??

from mc.

And what are the environment variables set before using mc ?

from mc.

@harshavardhana what do You mean?

All the envs which I adding to the deployment:

    env:
    - name: MINIO_ACCESS_KEY
      valueFrom:
        secretKeyRef:
          key: MINIO_ACCESS_KEY
          name: opencti
    - name: MINIO_SECRET_KEY
      valueFrom:
        secretKeyRef:
          key: MINIO_SECRET_KEY
          name: opencti
    - name: S3_BUCKET_NAME
      valueFrom:
        secretKeyRef:
          key: S3_BUCKET_NAME
          name: opencti
    - name: MC_HOST_s3
      value: https://s3.ap-east-1.amazonaws.com
    - name: MC_WEB_IDENTITY_TOKEN_FILE
      value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    - name: MC_ROLE_ARN
      value: arn:aws:iam::xx:role/xxxx-role

Nothing more :) There are of course some default environments which comes from EKS. Any idea how to deal with the STS for S3?

from mc.

And what is the version of mc - can you provide mc --version output?

from mc.

I use the minio image: minio/minio:RELEASE.2023-11-15T20-43-25Z

from mc.

I use the minio image: minio/minio:RELEASE.2023-11-15T20-43-25Z

Have you used latest mc? https://github.com/minio/mc/releases/tag/RELEASE.2023-11-15T22-45-58Z

The mc inside MinIO container is not the latest

from mc.

ah I see your problem you have not set the MC_STS_ENDPOINT @robert-pudlowski-mox

from mc.

In your ENV this must be set to perhaps https://sts.ap-east-1.amazonaws.com

from mc.

@harshavardhana thanks man! it works. One more question. After adding the env MC_STS_ENDPOINT=https://sts.ap-east-1.amazonaws.com, now I can not add alias for local minio deployment which was working before:

mc alias set myminio http://opencti-minio:9000 $MINIO_ACCESS_KEY $MINIO_SECRET_KEY
mc: Configuration written to /tmp/.mc/config.json. Please update your access credentials.
mc: Successfully created /tmp/.mc/share.
mc: Initialized share uploads /tmp/.mc/share/uploads.json file.
mc: Initialized share downloads /tmp/.mc/share/downloads.json file.
mc: Unable to initialize new alias from the provided credentials. The Access Key Id you provided does not exist in our records.

Any idea how to make the S3 alias and minio local working?

from mc.

@robert-pudlowski-mox right now that is not possible - I have to think about adding that support.

from mc.

@harshavardhana so how can I copy files from local minio to S3 bucket if I'm not able to connect in the same time to local minio and S3 bucket? :D

Now I can just send something to S3 bucket or I can only connect to local minio but not both.

from mc.

@harshavardhana and one more question, if I have the configuration setup for S3 bucket (MC_HOST_s3, MC_STS_ENDPOINT etc..) does the ilm which is already in place and setup for local minio and ilm with S3 tier will work? Or it will stop working?

from mc.

@harshavardhana so how can I copy files from local minio to S3 bucket if I'm not able to connect in the same time to local minio and S3 bucket? :D

Now I can just send something to S3 bucket or I can only connect to local minio but not both.

Correct this is something that needs to be fixed.

from mc.

@harshavardhana and one more question, if I have the configuration setup for S3 bucket (MC_HOST_s3, MC_STS_ENDPOINT etc..) does the ilm which is already in place and setup for local minio and ilm with S3 tier will work? Or it will stop working?

mc changes won't affect ILM which is server side config.

from mc.

This is fully fixed here #4771

from mc.