add credentials.NewSTSWebIdentityWithPolicy method

The `NewSTSWebIdentityWithPolicy` allows fetching credentials that are narrowed down to the specified policy. This is useful when a client requires less rights then it actually has. The returned credentials will have the intersection of the requested policy and the assigned policies.
minio · Oct 10, 2024 · 7f07883 · 7f07883
1 parent cca4103
commit 7f07883
Showing 1 changed file with 23 additions and 2 deletions.
diff --git a/pkg/credentials/sts_web_identity.go b/pkg/credentials/sts_web_identity.go
@@ -85,13 +85,30 @@ type STSWebIdentity struct {
 	// assuming.
 	RoleARN string
 
+	// Policy is the policy where the credentials should be limited too.
+	Policy string
+
 	// roleSessionName is the identifier for the assumed role session.
 	roleSessionName string
 }
 
 // NewSTSWebIdentity returns a pointer to a new
 // Credentials object wrapping the STSWebIdentity.
 func NewSTSWebIdentity(stsEndpoint string, getWebIDTokenExpiry func() (*WebIdentityToken, error)) (*Credentials, error) {
+	return newSTSWebIdentity(stsEndpoint, "", getWebIDTokenExpiry)
+}
+
+// NewSTSWebIdentityWithPolicy returns a pointer to a new
+// Credentials object wrapping the STSWebIdentity that is
+// scoped to the specified policy
+func NewSTSWebIdentityWithPolicy(stsEndpoint, policy string, getWebIDTokenExpiry func() (*WebIdentityToken, error)) (*Credentials, error) {
+	if policy == "" {
+		return nil, errors.New("policy cannot be empty")
+	}
+	return newSTSWebIdentity(stsEndpoint, policy, getWebIDTokenExpiry)
+}
+
+func newSTSWebIdentity(stsEndpoint, policy string, getWebIDTokenExpiry func() (*WebIdentityToken, error)) (*Credentials, error) {
 	if stsEndpoint == "" {
 		return nil, errors.New("STS endpoint cannot be empty")
 	}
@@ -103,11 +120,12 @@ func NewSTSWebIdentity(stsEndpoint string, getWebIDTokenExpiry func() (*WebIdent
 			Transport: http.DefaultTransport,
 		},
 		STSEndpoint:         stsEndpoint,
+		Policy:              policy,
 		GetWebIDTokenExpiry: getWebIDTokenExpiry,
 	}), nil
 }
 
-func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSessionName string,
+func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSessionName string, policy string,
 	getWebIDTokenExpiry func() (*WebIdentityToken, error),
 ) (AssumeRoleWithWebIdentityResponse, error) {
 	idToken, err := getWebIDTokenExpiry()
@@ -133,6 +151,9 @@ func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSession
 	if idToken.Expiry > 0 {
 		v.Set("DurationSeconds", fmt.Sprintf("%d", idToken.Expiry))
 	}
+	if policy != "" {
+		v.Set("Policy", policy)
+	}
 	v.Set("Version", STSVersion)
 
 	u, err := url.Parse(endpoint)
@@ -183,7 +204,7 @@ func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSession
 // Retrieve retrieves credentials from the MinIO service.
 // Error will be returned if the request fails.
 func (m *STSWebIdentity) Retrieve() (Value, error) {
-	a, err := getWebIdentityCredentials(m.Client, m.STSEndpoint, m.RoleARN, m.roleSessionName, m.GetWebIDTokenExpiry)
+	a, err := getWebIdentityCredentials(m.Client, m.STSEndpoint, m.RoleARN, m.roleSessionName, m.Policy, m.GetWebIDTokenExpiry)
 	if err != nil {
 		return Value{}, err
 	}