AssumeRoleWithWebIdentity with MinIO

[ceuser1]

I am using Keycloak with OpenID and MinIO. To be able to use MinIO from my c# client I need to retrieve temporary access credentials from the AssumeRoleWithWebIdentity endpoint. The code below aaaaaalmost works, but the problem is that an AWS Authorization HTTP header is added to the request, and this somehow confuses MinIO so it returns Unsupported action AssumeRoleWithWebIdentity error.

If I manually send the same HTTP request to MinIO, but remove the Authorization header, then it works. Any option to remove the Authorization header?

The call to AssumeRoleWithWebIdentity shouldn't need access and secret keys, because it already contains the openid access_token.

            var config = new AmazonSecurityTokenServiceConfig
            {
                ServiceURL = "http://localhost:19008",
            };
            var client = new AmazonSecurityTokenServiceClient("dummy", "dummy", config);
            var request = new AssumeRoleWithWebIdentityRequest
            {
                DurationSeconds = 3600,
                WebIdentityToken = "... OIDC access_token I get from Keycloak ...",
            };
            var response = await client.AssumeRoleWithWebIdentityAsync(request);

HTTP POST:

[ashishdhingra]

@ceuser1 Good afternoon. Thanks for starting the discussion. You may try using a customer HttpHandler as demonstrated in video AWS re:Invent 2023 - Getting the most performance for your .NET apps from AWS SDK for .NET (XNT401).

Below is the sample code:

using Amazon.Runtime;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;

Amazon.AWSConfigs.HttpClientFactory = new CustomHttpClientFactory();

var config = new AmazonSecurityTokenServiceConfig
{
    ServiceURL = "http://localhost:19008",
};
var client = new AmazonSecurityTokenServiceClient("dummy", "dummy", config);
var request = new AssumeRoleWithWebIdentityRequest
{
    DurationSeconds = 3600,
    WebIdentityToken = "... OIDC access_token I get from Keycloak ...",
};
var testResponse = await client.AssumeRoleWithWebIdentityAsync(request);

class CustomHttpClientFactory : Amazon.Runtime.HttpClientFactory
{
    public override HttpClient CreateHttpClient(IClientConfig clientConfig)
    {
        Console.WriteLine("Creating custom HttpClient");
        var socketHandler = new SocketsHttpHandler();

        var httpClient = new HttpClient(new CustomClientHandler { InnerHandler = socketHandler });
        return httpClient;
    }
}

class CustomClientHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        request.Headers.Remove("Authorization");
        return base.SendAsync(request, cancellationToken);
    }
}

[teo-tsirpanis]

@ceuser1 you can achieve the same in a much simpler way, by creating the STS client with new AmazonSecurityTokenServiceClient(new AnonymousAWSCredentials(), config);.