[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to authenticate with access keys #20015

Closed
Hu1buerger opened this issue Jun 29, 2024 · 8 comments
Closed

Unable to authenticate with access keys #20015

Hu1buerger opened this issue Jun 29, 2024 · 8 comments
Labels
community working as intended

Comments

@Hu1buerger
Copy link

Access keys deployed through the minio dashboard are not recognised.

Expected Behavior

from minio import Minio

client = Minio(MINIO_SERVICE,
    access_key="KEYS_FROM_SETUP",
    secret_key="KEYS_FROM_SETUP",
)
client.list_buckets()

should return all the buckets.

Current Behavior

    raise response_error
minio.error.S3Error: S3 operation failed; code: InvalidAccessKeyId, message: The Access Key Id you provided does not exist in our records., resource: /, request_id: 17DD75AB5D929823, host_id: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8

Possible Solution

Steps to Reproduce (for bugs)

  1. Deploy an authentik container

  2. Deploy a minio container

  3. Set authentik as an OpenID source for minio as described here

  4. Open the minio dashboard.

  5. Click on Access Keys.

  6. Create an access key.

Context

I am trying to authorise microservices to access data stored in a bucket.

Regression

Your Environment

MinIO Object Storage Server
Copyright: 2015-2024 MinIO, Inc.
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Version: RELEASE.2024-06-28T09-06-49Z (go1.22.4 linux/amd64)

API: http://172.21.0.3:9000  http://127.0.0.1:9000 
WebUI: http://172.21.0.3:9001 http://127.0.0.1:9001  

Docs: https://min.io/docs/minio/linux/index.html
Status:         1 Online, 0 Offline. 
STARTUP WARNINGS:
The standard parity is set to 0. This can lead to data loss.

minio is running in a docker container with 3bad56718cc9
@Hu1buerger
Copy link
Author
Hu1buerger commented Jun 29, 2024
edited
Loading

Service account keys are working nonetheless.

Edit: no they are not. Only old keys are still working. New ones seem to be kaput.

@harshavardhana
Copy link
Member

Please upgrade your setup and let us know

@Hu1buerger
Copy link
Author

The service account credentails seem to be working after the upgrade. Access keys are still not recognised.

@harshavardhana
Copy link
Member

The service account credentails seem to be working after the upgrade. Access keys are still not recognised.

I have no idea what you are talking about here. Access keys and service accounts are same.

@harshavardhana
Copy link
Member

if you enable OpenID, then internal IDP users are not available via the Console UI. Closing this issue as non-actionable AFAICS.

@rodion-serhieiev
Copy link

Hi @Hu1buerger ,
In our MinIO deployment, we faced the same issue. We are using OpenID(Keycloak) integration, and we determined that if Access keys were created in the user that receives the STS token from Keycloak, after the expiration of the STS token, the Access keys would not work anymore.
For the Service-to-service connection, we went with a service account.
However, we haven't yet found the solution for integration from user-to-service. When I talk about user-to-service integration, I mean integration like in Clickhouse with the S3 backend for external tables. Due to explosion credentials to Clickhouse in logs, some users log into MinIO and update their STS token. I know this is a terrible solution, but as I said, we are looking for a solution.

@Hu1buerger
Copy link
Author

@rodion-serhieiev so you are facing a similar issue?

@rodion-serhieiev
Copy link

In our case, if the owner of the access key that does not work will log in to the MinIO console, then his access key will work until the STS token expires.
If you have a different scenario, then our issues are different.

In my case, the issue is not on the MinIO side as marked @harshavardhana, it is working as intended.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community working as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@harshavardhana @rodion-serhieiev @Hu1buerger