Appendix. Issue AWS STS
This document provides guidance on generating and using temporary security credentials to control access to AWS S3 resources using AWS Security Token Service (AWS STS).
info
For the list of supported S3 API features provided by KakaoCloud, refer to the S3 documentation.
Before you start
For the prerequisites required to invoke the API, refer to the API preparation documentation.
Issue STS token
Use AssumeRoleWithWebIdentity to issue an access key ID, secret access key, and security token for accessing AWS resources. Temporary credentials can be generated using an OpenStack token based on the permissions of the token's user.
Request
Issue STS token
curl -X POST \ 'https://objectstorage.{region_name}.kakaocloud.com/' \
--header 'Accept: */*' \
--header 'Content-Type: application/json' \
--data-raw '{
"Action" : "AssumeRoleWithWebIdentity",
"DurationSeconds" : 1800,
"ProviderId" : "iam.kakaocloud.com",
"WebIdentityToken" : "{x-auth-token}"
}'
| Method | Request URL |
|---|---|
| POST | https://objectstorage.{region_name}.kakaocloud.com/ |
| Field | Type | Description |
|---|---|---|
| Action* | String | Type of action to perform - Only AssumeRoleWithWebIdentity is supported |
| DurationSeconds | Int | Duration for which the temporary credentials are valid |
| ProviderId | String | Identity provider - Only iam.kakaocloud.com is supported |
| WebIdentityToken | String | Token issued by OpenStack |
Response
Response example
<AssumeRoleWithWebIdentityResponse>
<AssumeRoleWithWebIdentityResult>
<SubjectFromWebIdentityToken>{user_id}</SubjectFromWebIdentityToken>
<Credentials>
<SessionToken>{session_token}</SessionToken>
<SecretAccessKey>{session_secret_key}</SecretAccessKey>
<Expiration>{expiration}</Expiration>
<AccessKeyId>{session_access_key}</AccessKeyId>
</Credentials>
<Provider>iam.kakaocloud.com</Provider>
</AssumeRoleWithWebIdentityResult>
<ResponseMetadata>
<RequestId>{request_id}</RequestId>
</ResponseMetadata>
</AssumeRoleWithWebIdentityResponse>
| Field | Type | Description |
|---|---|---|
| user_id | String | User ID used by the temporary credentials |
| session_token | String | Session token for the temporary credentials |
| session_secret_key | String | Secret access key for the temporary credentials |
| session_access_key | String | Access key ID for the temporary credentials |
| expiration | Timestamp | Expiration time of the temporary credentials |
| HTTP Status | Response | Description |
|---|---|---|
200 | OK | Success |
400 | BadRequest | Request error |
403 | Forbidden | Permission denied |
Example - get bucket list
List buckets
curl --location 'https://objectstorage.kr-central-2.kakaocloud.com/' \
--header 'X-Amz-Security-Token: {issued STS session token}' \
--header 'X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' \
--header 'X-Amz-Date: 20230719T074808Z' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential=2d554f581e81aa56a120fc29bd806405/20230719/kr-central-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=3f0f3cd5a25406947c936e8d51cdd13f3d5b4fafa1078da4e1b7b3df0d1e662a'