minio/minio-dotnet

.NET 8.x IAMAWSProvider is not usable with version 6.0.2

ddudda174 opened this issue · 1 comments

ddudda174 commented

I wanted to access an Amazon S3 instance within a Docker container with an IAM role (assigned to the EC2 instance).

There seems to be a problem with the example code here, which does not work with current version 6.0.2.

The MinioClient cannot be created with this example, because there's an if-condition inside the Build() method which checks on any assigned providers (e.g. the used IAMAWSProvider) in combination with a SessionToken.

And here lies my problem, because there's no SessionToken available, yet and this always results (at least for me) to the error message "User Access Credentials Provider not initialized correctly.". The MinioClient (with the use of WithCredentialsProvider(provider)) has to be build first and then assigned to the created IAMAWSProvider instance via WithMinioClient(minio).

However, I was able to establish access to the S3 instance with the following code (the example code is certainly be better to use):

using var minioClient = new MinioClient().WithEndpoint("s3.amazonaws.com")
                                         .WithSSL()
                                         .WithCredentials("fakeaccess", "fakesecret")
                                         .WithRegion(regionName)
                                         .Build();

minioClient.WithCredentialsProvider(new IAMAWSProvider(minioClient.Config.Endpoint, minioClient));

Due to the problem mentioned above, the provider can only be assigned after the MinioClient has been built. I find the unnecessary calling of the "WithCredentials" method unpleasant, but without it you get an error that the user credentials (which we don't need here anyway) have not been initialized.

You should at least adjust the example code to a working example. Looking forward to a proper fix of this problem :)

ddudda174 commented

Well, I investigated this further. This change might fix the usage error, so you can now use the IAMAWSProvider as intended, but it was still not working properly for me. I couldn't download files via PresignedObjectUrls from it, the browser shows them as damaged or invalid files.

I've changed my logic to retrieve the SessionToken and Credentials manually from S3 SLS Endpoints and then initialized the MinioClient with it. Now downloads work. The current logic inside IAMAWSProvider should be checked.

Currently this is working for me:

// retrieves required credentials and sessionToken from SLS Endpoints
var s3Token = await _tokenProvider.GetS3AccessTokenAsync();

minioClient.WithCredentials(s3Token.AccessKeyId, s3Token.SecretAccessKey)
    .WithSessionToken(s3Token.Token)
    .WithRegion(bucket.Region); // for me it's "eu-central-1"

Inside the GetS3AccessTokenAsync helper method I request a token from http://169.254.169.254/latest/api/token with the default X-aws-ec2-metadata-token-ttl-seconds header (21600) and then use this token to get the credentials from http://169.254.169.254/latest/meta-data/iam/security-credentials/<iam-role-name-here> (replace "<iam-role-name-here>" with actual role name) using the previously requested token inside the X-aws-ec2-metadata-token header.