generated from coulomb/repo-seed
ARTIFACT-STORE-WP-0007 D7.4: STS temporary credential support (session token + refreshable file refs)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -55,4 +55,59 @@ ARTIFACTSTORE_MINIO_SECRET_KEY="$SECRET_KEY" \
|
||||
ARTIFACTSTORE_MINIO_BUCKET="$BUCKET" \
|
||||
make test-minio
|
||||
|
||||
echo "[minio-smoke] PASS — live MinIO round-trip/range/multipart compatibility verified"
|
||||
echo "[minio-smoke] static-credential compatibility PASS"
|
||||
|
||||
# ── STS leg (D7.4): temporary credentials via MinIO AssumeRole ────────────────
|
||||
# Root credentials cannot call AssumeRole, so mint a scoped user first.
|
||||
STS_USER="sts-$(openssl rand -hex 6)"
|
||||
STS_USER_SECRET="$(openssl rand -hex 24)"
|
||||
docker exec -e STS_USER="$STS_USER" -e STS_USER_SECRET="$STS_USER_SECRET" "$CONTAINER" sh -c \
|
||||
'mc admin user add local "$STS_USER" "$STS_USER_SECRET" >/dev/null && mc admin policy attach local readwrite --user "$STS_USER" >/dev/null'
|
||||
echo "[minio-smoke] scoped user created; requesting temporary credentials via STS AssumeRole"
|
||||
|
||||
STS_JSON="$(
|
||||
STS_ENDPOINT="http://127.0.0.1:${MINIO_PORT}" \
|
||||
STS_USER="$STS_USER" STS_USER_SECRET="$STS_USER_SECRET" \
|
||||
uv run --all-extras python - <<'PY'
|
||||
import json
|
||||
import os
|
||||
|
||||
import boto3
|
||||
|
||||
sts = boto3.client(
|
||||
"sts",
|
||||
endpoint_url=os.environ["STS_ENDPOINT"],
|
||||
aws_access_key_id=os.environ["STS_USER"],
|
||||
aws_secret_access_key=os.environ["STS_USER_SECRET"],
|
||||
region_name="us-east-1",
|
||||
)
|
||||
creds = sts.assume_role(
|
||||
RoleArn="arn:minio:iam:::role/dummy",
|
||||
RoleSessionName="artifactstore-d74-smoke",
|
||||
DurationSeconds=900,
|
||||
)["Credentials"]
|
||||
print(
|
||||
json.dumps(
|
||||
{
|
||||
"AccessKeyId": creds["AccessKeyId"],
|
||||
"SecretAccessKey": creds["SecretAccessKey"],
|
||||
"SessionToken": creds["SessionToken"],
|
||||
}
|
||||
)
|
||||
)
|
||||
PY
|
||||
)"
|
||||
|
||||
TEMP_ACCESS_KEY="$(python3 -c 'import json,sys; print(json.loads(sys.argv[1])["AccessKeyId"])' "$STS_JSON")"
|
||||
TEMP_SECRET_KEY="$(python3 -c 'import json,sys; print(json.loads(sys.argv[1])["SecretAccessKey"])' "$STS_JSON")"
|
||||
TEMP_SESSION_TOKEN="$(python3 -c 'import json,sys; print(json.loads(sys.argv[1])["SessionToken"])' "$STS_JSON")"
|
||||
|
||||
ARTIFACTSTORE_MINIO_ENDPOINT_URL="http://127.0.0.1:${MINIO_PORT}" \
|
||||
ARTIFACTSTORE_MINIO_ACCESS_KEY="$TEMP_ACCESS_KEY" \
|
||||
ARTIFACTSTORE_MINIO_SECRET_KEY="$TEMP_SECRET_KEY" \
|
||||
ARTIFACTSTORE_MINIO_SESSION_TOKEN="$TEMP_SESSION_TOKEN" \
|
||||
ARTIFACTSTORE_MINIO_BUCKET="$BUCKET" \
|
||||
make test-minio
|
||||
|
||||
echo "[minio-smoke] temporary-credential (STS session token) compatibility PASS"
|
||||
echo "[minio-smoke] PASS — live MinIO static + STS round-trip/range/multipart compatibility verified"
|
||||
|
||||
Reference in New Issue
Block a user