aws:groups does not work in policies
olljanat opened this issue · comments
Expected Behavior
#16538 added support for aws:groups
but as far I see it does not work. Test automation only exists for jwt:groups
so most likely there is some logic issue.
Current Behavior
I added logging line
logger.Error(fmt.Sprintf("getConditionValues called: Username %v, claims: %v, groups %v", username, claims, groups))
to below this one:
Lines 77 to 84 in 8b660e1
and what I see is messages like these even when user is part of the group:
getConditionValues called: Username ANTTQ5LPWPWYV8WFYKUS, claims: map[accessKey:ANTTQ5LPWPWYV8WFYKUS exp:1.715220743e+09 parent:test], groups []
getConditionValues called: Username test, claims: map[], groups []
Possible Solution
Perhaps order of code needs to be changed in way that cred.Groups
get populated before getConditionValues
function is called.
aws:groups doesn't exist unless you have LDAP or OpenID enabled
- ldap:groups
- jwt:groups
@harshavardhana hmm, comment in #11303 (comment) and documentation in
minio/docs/multi-user/README.md
Line 271 in 8b660e1
Isn't MinIO always acting as IDP for users which are created directly to it?
And if either LDAP or OpenID is needed the what is use case of aws:groups
?