AssumeRoleWithWebIdentity with MinIO #3711

ceuser1 · 2025-03-19T11:44:16Z

ceuser1
Mar 19, 2025

I am using Keycloak with OpenID and MinIO. To be able to use MinIO from my c# client I need to retrieve temporary access credentials from the AssumeRoleWithWebIdentity endpoint. The code below aaaaaalmost works, but the problem is that an AWS Authorization HTTP header is added to the request, and this somehow confuses MinIO so it returns Unsupported action AssumeRoleWithWebIdentity error.

If I manually send the same HTTP request to MinIO, but remove the Authorization header, then it works. Any option to remove the Authorization header?

The call to AssumeRoleWithWebIdentity shouldn't need access and secret keys, because it already contains the openid access_token.

            var config = new AmazonSecurityTokenServiceConfig
            {
                ServiceURL = "http://localhost:19008",
            };
            var client = new AmazonSecurityTokenServiceClient("dummy", "dummy", config);
            var request = new AssumeRoleWithWebIdentityRequest
            {
                DurationSeconds = 3600,
                WebIdentityToken = "... OIDC access_token I get from Keycloak ...",
            };
            var response = await client.AssumeRoleWithWebIdentityAsync(request);

HTTP POST:

Answered by ashishdhingra

Mar 24, 2025

@ceuser1 Good afternoon. Thanks for starting the discussion. You may try using a customer HttpHandler as demonstrated in video AWS re:Invent 2023 - Getting the most performance for your .NET apps from AWS SDK for .NET (XNT401).

Below is the sample code:

using Amazon.Runtime;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;

Amazon.AWSConfigs.HttpClientFactory = new CustomHttpClientFactory();

var config = new AmazonSecurityTokenServiceConfig
{
    ServiceURL = "http://localhost:19008",
};
var client = new AmazonSecurityTokenServiceClient("dummy", "dummy", config);
var request = new AssumeRoleWithWebIdentityRequest
{
    DurationSeconds = 3600,
    WebIdentityToken = "... OIDC…

View full answer

ashishdhingra · 2025-03-24T21:31:48Z

ashishdhingra
Mar 24, 2025
Maintainer

@ceuser1 Good afternoon. Thanks for starting the discussion. You may try using a customer HttpHandler as demonstrated in video AWS re:Invent 2023 - Getting the most performance for your .NET apps from AWS SDK for .NET (XNT401).

Below is the sample code:

using Amazon.Runtime;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;

Amazon.AWSConfigs.HttpClientFactory = new CustomHttpClientFactory();

var config = new AmazonSecurityTokenServiceConfig
{
    ServiceURL = "http://localhost:19008",
};
var client = new AmazonSecurityTokenServiceClient("dummy", "dummy", config);
var request = new AssumeRoleWithWebIdentityRequest
{
    DurationSeconds = 3600,
    WebIdentityToken = "... OIDC access_token I get from Keycloak ...",
};
var testResponse = await client.AssumeRoleWithWebIdentityAsync(request);

class CustomHttpClientFactory : Amazon.Runtime.HttpClientFactory
{
    public override HttpClient CreateHttpClient(IClientConfig clientConfig)
    {
        Console.WriteLine("Creating custom HttpClient");
        var socketHandler = new SocketsHttpHandler();

        var httpClient = new HttpClient(new CustomClientHandler { InnerHandler = socketHandler });
        return httpClient;
    }
}

class CustomClientHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        request.Headers.Remove("Authorization");
        return base.SendAsync(request, cancellationToken);
    }
}

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AssumeRoleWithWebIdentity with MinIO #3711

{{title}}

Replies: 1 comment

{{title}}

Select a reply

AssumeRoleWithWebIdentity with MinIO #3711

ceuser1 Mar 19, 2025

Replies: 1 comment

ashishdhingra Mar 24, 2025 Maintainer

ceuser1
Mar 19, 2025

ashishdhingra
Mar 24, 2025
Maintainer