S3 credentials API

[almereyda]

The readme mentions short-lived S3 credentials, which are passed to the current client for syncing, and considers how to mobilise Minio for that.

I'm bringing this up, because there are a few ways this could be achieved with Minio and its Secure Token Service (STS), a bit depending on the authentication scheme used for a LogSeq Sync endpoint.

• AssumeRoleWithWebIdentity — MinIO Object Storage for Linux
• AssumeRoleWithCustomToken — MinIO Object Storage for Linux
  • MinIO External Identity Management Plugin — MinIO Object Storage for Linux
• I left out the LDAP example.

Given the spread of its adoption, it may be safe to assume OIDC here, not having to develop an external identity management plugin for Minio? Or can there be a more generic way to create temporary tokens, which is unified across S3 implementations?

---

The S3 itself can also store the documents in an encrypted way, and uses an external KMS in conjunction with the Kes.dev keyserver, but that's a totally different subject.

• minio/kes: Key Managament Server [not just] for Object Storage
• MinIO Object Storage · minio/kes Wiki

[bcspragu]

Thanks for the links, this is all good to know! I didn't know how far MinIO's emulation of the S3 API extended. The current (questionably functioning) code is here. In theory, one could override the service endpoint for STS to point to MinIO, but I wouldn't try it until the S3 implementation works

The other main barrier right now is that even with wire-level API compatibility, the bucket names and regions are hard-coded, so outside of testing where folks are building the codebase, some upstream changes would need to be made for a setup like this to work

[almereyda]

Good investigation work. I'm all in for upstream changes, and will support the argumentation, when due.