AssumeRoleWithWebIdentity - cniackz/public GitHub Wiki
- Mi paso inicial fue crear mi tenant-lite as usual
kustomize build "github.com/minio/operator/resources/?timeout=120&ref=v5.0.15" > public-operator.yaml
oc apply -f public-operator.yaml
kustomize build "github.com/minio/operator/examples/kustomization/tenant-lite/?timeout=120&ref=v5.0.15" > tenant.yaml
oc apply -f tenant.yaml- Esta fue la contraseña que use y funciono,
passwordpero se tiene que poner como unhashen Dex configuration:
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
- Si pude obtener el token:
root@testpod:/# curl -s -X POST http://dex.dex.svc.cluster.local:5556/token -H "Content-Type: application/x-www-form-urlencoded" -u "minio-app:minio-secret" -d "grant_type=password" -d "[email protected]" -d "password=password" -d "scope=openid"
{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk3MmY4NDEwNjAwNmI5YTEyNmVlMDhiN2RiY2JjZmI3ZGI1ZThhODkifQ.eyJpc3MiOiJodHRwOi8vZGV4LmRleC5zdmMuY2x1c3Rlci5sb2NhbDo1NTU2Iiwic3ViIjoiQ2dNeE1qTVNCV3h2WTJGcyIsImF1ZCI6Im1pbmlvLWFwcCIsImV4cCI6MTc1MDg5Njg0NCwiaWF0IjoxNzUwODEwNDQ0LCJhdF9oYXNoIjoibjVPT1hGVmVlczltRklMQTRicFYyUSJ9.lA1ViPQP7NwVRS_3GQJQItGwWTsZePoVP_3t44bTW_rmKVe4dIRH14z1rKl0JCpqmJqPAMGaL99xbvmcwHLCfs6sjg-cZQjjBCKaMeTbSRCWQaBCB4NpBOmY2ez1je_kJPhlFDE6y082mABZF1t5iWso74DjRGwR9FjKy3D4E8qG_tpf37A19q4KcBsrVA2fOHXK3l2SytQgVs7Z2PE8svxdj3525SRk4r1KHDVoo0PFdVXwYrXIIXTBN9IzGtfT3iBBiAIj3Ksz5GtUgVVzLVT4q5GhqYopnig0TfA6xHLbaU1rm9oa5gcdKXadJrOYyGCAyea_KMCZFTE5hjQ7BQ","token_type":"bearer","expires_in":86399,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk3MmY4NDEwNjAwNmI5YTEyNmVlMDhiN2RiY2JjZmI3ZGI1ZThhODkifQ.eyJpc3MiOiJodHRwOi8vZGV4LmRleC5zdmMuY2x1c3Rlci5sb2NhbDo1NTU2Iiwic3ViIjoiQ2dNeE1qTVNCV3h2WTJGcyIsImF1ZCI6Im1pbmlvLWFwcCIsImV4cCI6MTc1MDg5Njg0NCwiaWF0IjoxNzUwODEwNDQ0LCJhdF9oYXNoIjoiSTNTZlNWLUtIYzRBZTVHUWhTSG9DUSJ9.HPXKezTzpAC1ph8AGX0Ov68-l7MdrUmObqeB8Lr-dPrxqLCX6jkRlxmggsa1KjyMnrYMNsoH3WptlL8nRjitDQVx4R9hkjfwI1CrwL02qHoHlPeeXV2RykyDeENXVRf0MCZArZ90hsj8KPVngWFoctFkeKYahdx4js4xZglmvyrrNXJCwby4pgbVEc2hMnDuW-RqphUQxCoGdDhMJe5il6Z4deTQa6fzEM1PhDoZgk-QpOpwW94ozymQxg-k028_Bkv1kBoNM5fSbF3UJ_aj3U_bM0c9Pmnm_n6zJ_pKf7CsHYci236duP5eqLAMxBsZnvITyYp9RQS2iFoqLt9PVg"}{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk3MmY4NDEwNjAwNmI5YTEyNmVlMDhiN2RiY2JjZmI3ZGI1ZThhODkifQ.eyJpc3MiOiJodHRwOi8vZGV4LmRleC5zdmMuY2x1c3Rlci5sb2NhbDo1NTU2Iiwic3ViIjoiQ2dNeE1qTVNCV3h2WTJGcyIsImF1ZCI6Im1pbmlvLWFwcCIsImV4cCI6MTc1MDg5Njg0NCwiaWF0IjoxNzUwODEwNDQ0LCJhdF9oYXNoIjoibjVPT1hGVmVlczltRklMQTRicFYyUSJ9.lA1ViPQP7NwVRS_3GQJQItGwWTsZePoVP_3t44bTW_rmKVe4dIRH14z1rKl0JCpqmJqPAMGaL99xbvmcwHLCfs6sjg-cZQjjBCKaMeTbSRCWQaBCB4NpBOmY2ez1je_kJPhlFDE6y082mABZF1t5iWso74DjRGwR9FjKy3D4E8qG_tpf37A19q4KcBsrVA2fOHXK3l2SytQgVs7Z2PE8svxdj3525SRk4r1KHDVoo0PFdVXwYrXIIXTBN9IzGtfT3iBBiAIj3Ksz5GtUgVVzLVT4q5GhqYopnig0TfA6xHLbaU1rm9oa5gcdKXadJrOYyGCAyea_KMCZFTE5hjQ7BQ",
"token_type": "bearer",
"expires_in": 86399,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk3MmY4NDEwNjAwNmI5YTEyNmVlMDhiN2RiY2JjZmI3ZGI1ZThhODkifQ.eyJpc3MiOiJodHRwOi8vZGV4LmRleC5zdmMuY2x1c3Rlci5sb2NhbDo1NTU2Iiwic3ViIjoiQ2dNeE1qTVNCV3h2WTJGcyIsImF1ZCI6Im1pbmlvLWFwcCIsImV4cCI6MTc1MDg5Njg0NCwiaWF0IjoxNzUwODEwNDQ0LCJhdF9oYXNoIjoiSTNTZlNWLUtIYzRBZTVHUWhTSG9DUSJ9.HPXKezTzpAC1ph8AGX0Ov68-l7MdrUmObqeB8Lr-dPrxqLCX6jkRlxmggsa1KjyMnrYMNsoH3WptlL8nRjitDQVx4R9hkjfwI1CrwL02qHoHlPeeXV2RykyDeENXVRf0MCZArZ90hsj8KPVngWFoctFkeKYahdx4js4xZglmvyrrNXJCwby4pgbVEc2hMnDuW-RqphUQxCoGdDhMJe5il6Z4deTQa6fzEM1PhDoZgk-QpOpwW94ozymQxg-k028_Bkv1kBoNM5fSbF3UJ_aj3U_bM0c9Pmnm_n6zJ_pKf7CsHYci236duP5eqLAMxBsZnvITyYp9RQS2iFoqLt9PVg"
}-
TODO: Investiga la diferencia entreaccess_tokenyid_token, quiza no use el correcto -
La configuracion de
DEXque use, fue esta:
replicaCount: 1
connectors:
- type: local
id: local
name: Email Password
config:
issuer: http://dex.dex.svc.cluster.local:5556
enablePasswordDB: true
storage:
type: memory
web:
http: 0.0.0.0:5556
oauth2:
passwordConnector: local
allowedGrantTypes: ["password"]
staticClients:
- id: minio-app
name: MinIO Console
secret: minio-secret
redirectURIs:
- https://minio.tenant-lite.svc.cluster.local/oauth_callback
staticPasswords:
- email: [email protected]
username: alice
userID: "123"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"- La manera como deploye
DEX, fue esta:
$ helm upgrade dex dex/dex -n dex -f dex.yaml
Release "dex" has been upgraded. Happy Helming!
NAME: dex
LAST DEPLOYED: Tue Jun 24 18:06:21 2025
NAMESPACE: dex
STATUS: deployed
REVISION: 16
TEST SUITE: None
NOTES:
1. Get the application URL by running these commands:
export POD_NAME=$(kubectl get pods --namespace dex -l "app.kubernetes.io/name=dex,app.kubernetes.io/instance=dex" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace dex $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace dex port-forward $POD_NAME 8080:$CONTAINER_PORT- Me quede atorado con el ARN
root@testpod:/# curl -k -X POST "https://minio.tenant-lite.svc.cluster.local" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "Action=AssumeRoleWithWebIdentity" \
-d "Version=2011-06-15" \
-d "WebIdentityToken=eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk3MmY4NDEwNjAwNmI5YTEyNmVlMDhiN2RiY2JjZmI3ZGI1ZThhODkifQ.eyJpc3MiOiJodHRwOi8vZGV4LmRleC5zdmMuY2x1c3Rlci5sb2NhbDo1NTU2Iiwic3ViIjoiQ2dNeE1qTVNCV3h2WTJGcyIsImF1ZCI6Im1pbmlvLWFwcCIsImV4cCI6MTc1MDg5Njg0NCwiaWF0IjoxNzUwODEwNDQ0LCJhdF9oYXNoIjoiSTNTZlNWLUtIYzRBZTVHUWhTSG9DUSJ9.HPXKezTzpAC1ph8AGX0Ov68-l7MdrUmObqeB8Lr-dPrxqLCX6jkRlxmggsa1KjyMnrYMNsoH3WptlL8nRjitDQVx4R9hkjfwI1CrwL02qHoHlPeeXV2RykyDeENXVRf0MCZArZ90hsj8KPVngWFoctFkeKYahdx4js4xZglmvyrrNXJCwby4pgbVEc2hMnDuW-RqphUQxCoGdDhMJe5il6Z4deTQa6fzEM1PhDoZgk-QpOpwW94ozymQxg-k028_Bkv1kBoNM5fSbF3UJ_aj3U_bM0c9Pmnm_n6zJ_pKf7CsHYci236duP5eqLAMxBsZnvITyYp9RQS2iFoqLt9PVg" \
-d "RoleSessionName=alice-session" \
-d "RoleArn=consoleAdmin"
<?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"><Error><Type></Type><Code>InvalidParameterValue</Code><Message>Error processing RoleArn parameter: RoleARN parse err: invalid ARN string format</Message></Error><RequestId>184C229E3B69957A</RequestId></ErrorResponse>root@testpod:/#
- La configuracion del tenant en el ultimo punto fue:
spec:
certConfig: {}
configuration:
name: storage-configuration
env:
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: http://dex.dex.svc.cluster.local:5556/.well-known/openid-configuration
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: minio-app
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
value: minio-secret
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: https://minio.tenant-lite.svc.cluster.local:9443/oauth_callback
- name: MINIO_IDENTITY_OPENID_SCOPES
value: openid,profile,email
- sigo teniendo problemas con la policy, muchos en internet dicen que es la configuracion de minio:
root@testpod:/# curl -k -X POST "https://minio.tenant-lite.svc.cluster.local" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "Action=AssumeRoleWithWebIdentity" \
-d "Version=2011-06-15" \
-d "WebIdentityToken=eyJhbGciOiJSUzI1NiIsImtpZCI6ImU3MzQwNDU5YTU2MTgzZGY2YjRjMmE1NmQ2OTVjNGRiZjVjODJiMGEifQ.eyJpc3MiOiJodHRwOi8vZGV4LmRleC5zdmMuY2x1c3Rlci5sb2NhbDo1NTU2Iiwic3ViIjoiQ2dNeE1qTVNCV3h2WTJGcyIsImF1ZCI6Im1pbmlvLWFwcCIsImV4cCI6MTc1MDk0NDc0NSwiaWF0IjoxNzUwODU4MzQ1LCJhdF9oYXNoIjoiR1ZKVURBT29nWTlSQ09TbDVzRzJNQSJ9.RUmCMOWHSBYESvgmzHeimxsWQbZkhLRO7LxxCX4o-EGQMJ3W14DyFILb5ON-6eVYyovwc5IkZ54373pWDwPUBnvGMw-6E9qE--ejcTbC9v61Wdff6Wkytq64s6VqATCthSojj-15IVP3WT4pbwzbgORh2IxCylfUapGS2OXsTbepNiFaBEnTq18wEIHOK3CGQ--BeyheyRa6DIvw44Mp3gdhVLxkyvV-b68DfK0EBFY50ncKtWf3xV5npXUjypNHoP0Sx5sYpzn_owBhCAR2tsBxWFBd5-ZqMksVoF1wtwW99RWi8qIA8fUiY4oDU4NV9y7cJv5QEQWCNBv_ocETzQ" \
-d "RoleSessionName=alice-session" \
-d "RoleArn=consoleAdmin"
<?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"><Error><Type></Type><Code>InvalidParameterValue</Code><Message>Error processing RoleArn parameter: RoleARN parse err: invalid ARN string format</Message></Error><RequestId>184C4C8F2C55CD09</RequestId></ErrorResponse>root@testpod:/#
- Como quiera que sea lo que quiero continuar haciendo mas adelante, es estresar
AssumeRoleWithWebIdentityy que me responda sin error de ARN, para mas adelante