S3 credentials API #2
Comments
|
Thanks for the links, this is all good to know! I didn't know how far MinIO's emulation of the S3 API extended. The current (questionably functioning) code is here. In theory, one could override the service endpoint for STS to point to MinIO, but I wouldn't try it until the S3 implementation works The other main barrier right now is that even with wire-level API compatibility, the bucket names and regions are hard-coded, so outside of testing where folks are building the codebase, some upstream changes would need to be made for a setup like this to work |
|
Good investigation work. I'm all in for upstream changes, and will support the argumentation, when due. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The readme mentions short-lived S3 credentials, which are passed to the current client for syncing, and considers how to mobilise Minio for that.
I'm bringing this up, because there are a few ways this could be achieved with Minio and its Secure Token Service (STS), a bit depending on the authentication scheme used for a LogSeq Sync endpoint.
Given the spread of its adoption, it may be safe to assume OIDC here, not having to develop an external identity management plugin for Minio? Or can there be a more generic way to create temporary tokens, which is unified across S3 implementations?
The S3 itself can also store the documents in an encrypted way, and uses an external KMS in conjunction with the Kes.dev keyserver, but that's a totally different subject.
The text was updated successfully, but these errors were encountered: