Native IAM Authentication for Kubernetes.
⚠️ This feature is an Beta release starting Operator v6.x, was released in Beta on Operator v5.x
MinIO Operator offers support for Secure Tokens (a.k.a. STS) which are a form of temporary access credentials for your MinIO Tenant. In essence, this allows you to control access to your MinIO tenant from your applications without having to explicitly create credentials for each application; in fact no credentials need to be created at all.
For an application to gain access into a MinIO Tenant, a PolicyBinding granting explicit access to the application's
Service Account. Authorization is then validated
using the following steps:
- AssumeRoleWithWebIdentity call
- Verify ServiceAccount JWT
- JWT Validation Result
- Validate SA has PolicyBinding in the Tenant namespace
- Get PolicyBinding
- AssumeRole for application
- Obtain Temporary Credentials
- Return Temporary Credentials To App
- Consume Object Storage
Operator STS was first introduced on v5.0.0, by default turned off, starting Operator v5.0.11 the STS feature ships on by default.
On versions > 5.0.0 and < 5.0.11 to turn it on, switch OPERATOR_STS_ENABLED to on in the minio-operator deployment.
The STS functionality works only with TLS configured. We can request certificates automatically, but additionally you can
use cert-manager or bring your own certificates.
Your application must use an SDK that supports AssumeRole like behavior.
We have provided example usage in the examples/kustomization/sts-example folder.