balamurugana/Self-signed certificate setup for AssumeRoleWithCertificate.md

## Self-signed certificate setup for AssumeRoleWithCertificate.md

      
    Raw
  

              Self-signed certificate setup for AssumeRoleWithCertificate.md
            
          
    As MinIO needs the CN to have the policy name and original mkcert does not support this, download updated mkcert from https://github.com/kanagarajkm/mkcert/releases/download/v1.4.3-1/mkcert
Server certs


Generate certificate files

mkcert localhost

Copy generated localhost-key.pem and localhost.pem to certs directory of minio server.

cp -avi localhost-key.pem ~/.minio/certs/private.key
cp -avi localhost.pem ~/.minio/certs/public.crt

Restart or start minio server with environment variable MINIO_IDENTITY_TLS_ENABLE=on.

Client certs


Generate client certificate. Here client1 is the CN

mkcert -client client1

Rename generated certificate files.

mv -vi client1-key.pem client1.key
mv -vi client1.pem client1.crt

Copy certificate files to certs/CAs directory of minio server.

cp -avi client1.key ~/.minio/certs/CAs/client1.key
cp -avi client1.crt ~/.minio/certs/CAs/client1.crt

Restart minio server with environment variable MINIO_IDENTITY_TLS_ENABLE=on.

Create and assign MinIO Policy


Create a new policy JSON into client1-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Sid": ""
    }
  ]
}

Add the policy to client1

mc admin policy add myminio client1 client1-policy.json --insecure
Fetch STS credentials using certificate

curl -X POST  --key client1.key --cert client1.crt "https://minio:9000?Action=AssumeRoleWithCertificate&Version=2011-06-15&DurationSeconds=3600" -k