Mounting fails when using MinIO and OIDC authentication #1203
Labels
enhancement
New feature or request
Comments
|
Hey @2022tgoel, the Not sure if it'd be viable for you, and also I haven't tested myself but using |
unexge
added
enhancement
|
Hi, thanks that makes sense. |
|
Hey @2022tgoel, as you noted Mountpoint uses aws-c-auth under the hood for credentials and such a change/contribution should be done on that side. Feel free to create an issue with them to discuss if they would be open for a contribution of such a change. I'll also discuss with my team regarding accepting a contribution to change credential provider to AWS Rust SDK rather than CRT, but that's probably a bigger change and would require some discussions. |
2 tasks
|
@unexge is there anyone that can bump the linked issue in |
|
We've reached out to the team about the issue, but don't have anything to share yet. (FYI @waahm7) |
|
Thanks, This issue is fixed in https://github.com/awslabs/aws-c-auth/releases/tag/v0.8.6 and now CRT will respect the environment variable. |
|
@muddyfish I assume this is a matter of bumping |
github-merge-queue bot
pushed a commit
that referenced
this issue
Mar 11, 2025
## Description of change Notably, includes awslabs/aws-c-auth#263 for #1203. Size: ```bash $ cargo package -p mountpoint-s3-crt-sys --no-verify --allow-dirty Packaging mountpoint-s3-crt-sys v0.12.1 (~/Code/mountpoint-s3/mountpoint-s3-crt-sys) Updating crates.io index Packaged 2171 files, 39.4MiB (7.0MiB compressed) ``` <details> <summary>CRT changelog:</summary> ``` Submodule mountpoint-s3-crt-sys/crt/aws-c-auth b513db4b..01dd06ac: > Support Endpoint Override for CredentialsProviders (#263) > aws_hex_encode() no longer adds null-terminator (#264) > Account ID support for Crendentials Providers (#262) Submodule mountpoint-s3-crt-sys/crt/aws-c-cal 7299c6ab..298122a0: > do not include crypto when doing byo_crypto (#207) > Ed25519 support. (#206) Submodule mountpoint-s3-crt-sys/crt/aws-c-common 0e7637fa..568f46b1: > New Get_ENV Functions (#1141) > aws_base64_compute_encoded_len() is now exact, doesn't add 1 extra for null-terminator (#1188) > Make aws_byte_cursor_from_string NULL tolerant (#1187) > Integration test for CPU feature detection (#1186) Submodule mountpoint-s3-crt-sys/crt/aws-c-io 3041dabf..318f7e57: > Revert win TLS 1.3 (#712) > Fix Windows server-side for TLS 1.3 (#710) > Tls1.3 win update (#676) > Add PQ_DEFAULT enum to aws_tls_cipher_pref (#707) Submodule mountpoint-s3-crt-sys/crt/aws-c-s3 6eb8be53..1d0091c7: > Adapt to aws_base64_compute_encoded_len() no longer adding 1 extra for null terminator (#497) > Make public bucket optional (#495) > add life cycle to s3 express to test helper (#494) > Auto - Update S3 Ruleset & Partition (#493) Submodule mountpoint-s3-crt-sys/crt/aws-lc 138a6ad3..7bca7e96: > Add IbmTpm to our CI (#2231) > Revert BIO_get_mem_data back to macro (#2261) > Update patch for Postgres (#2232) > Add missing algorithms to benchmark (#2056) > Update internal IANA values of PQ SupportedGroups (#2235) > Add CMAC benchmark for AWS-LC (#2218) > Added ML-DSA to break-kat framework (#2253) > Update EVP_PKEY ED keygen to use an internal function that can return the result of the PWCT (#2256) > Remove unused CMake options for break tests (#2249) > Adding no-op X509_TRUST_cleanup for select application compatibility (#2257) > Add LibRdKafka to our CI (#2225) > Add public wrapper to internal bn_minimal_width function (#2245) > Prepare v1.48.1 (#2252) > Make BIO_get_mem_data a function again (#2246) > Move OCSP ASN1 type functions to public header (#2239) > Prepare for release v.1.48.0 (#2248) > Migrate last batch of jobs (#2214) > Enforce FIPS callback is only enabled for static builds (#2241) > Update to using Clang 18 on Windows (#2240) > Don't 'dllexport' Windows symbols on static build (#2238) > Check pagesize is non-negative in AES-XTS test (#2237) > Coverity Fix (#2236) > Increase required CMake version to 3.5 (#2219) > Remove BORINGSSL_FIPS_BREAK_FFC_DH (#2216) > Bump version, preparing for release v1.47.0 (#2229) > Add support to export ML-DSA key-pairs in seed format (#2194) > Integration test for libgit2 (#2215) > Fix out-of-bound (OOB) input read in AES-XTS Decrypt in AVX-512 implementation (#2227) > Integration test for libssh2 (#2222) > Reset DTLS1_BITMAP without resorting to memset (#2223) > Use AWSLC_SOURCE_DIR and AWSLC_BINARY_DIR (#2208) > Update ABI Diff Action to work correctly on push events (#2188) > Add SSL_CTX_use_cert_and_key (#2163) > Add support to define a callback for FIPS test failures instead of aborting the process (#2162) > Move Ed25519ph into module boundary (#2186) > Add utility for querying and comparing the BORINGSSL_bcm_text_hash (#2217) > Add guidance around certificate auto-chaining in TLS (#2205) > SHAKE Incremental Byte Squeezes && EVP_ Tests (#2155) > Migrate 3rd batch of CI jobs (#2183) > Avoid duplicated definition of standalone test executable variables (#2212) > Modify SSL to inherit ciphersuites from SSL_CTX at initialization (#2198) > Prepare release v1.46.1 (#2210) > Remove access() call from Snapsafe detection (#2197) > Simplify IsFlag check logic (#2209) > Update pairwise consistency test failures to support gracefully continiung (#2201) > Enable RSA keygen becnhmarks by default (#2206) > Fix C++98 compatibility in our header files (#2193) > Add pq-tls interop test with BoringSSL (#2199) > Refactor AWS_LC_FIPS_failure to always exist (#2200) > Improve tool-openssl compatability for x509 and verify subcommands (#2196) > Prepare release v1.46.0 (#2204) > Add SPARCV9 target (#2202) > Simplify OpenSSH mainline build (#2158) > ML-KEM: Move FIPS-abort upon PCT failure to top-level ML-KEM API (#2195) > Add runtime options to break the pairwise consistency test for Ed, ML-KEM, and ML-DSA (#2192) > Update pkcs8_corpus files to include ML-DSA (#2191) > Refactor TLS 1.3 cipher selection and fix SSL_get_ciphers (#2092) > Add suport for asl and rol to match existing support for asr and ror (#2185) > SCRUTINICE fixes (#2180) > Make install_shared_and_static test more robust (#2179) > MacOS-12 GH runner no longer supported (#2190) > Add integration patches/CI for Ruby main and 3.3 (#2071) > Move ML-DSA to fipsmodule (#2175) > Expand spki fuzz corpus (#2187) > Update PQREADME.md (#2151) > Setup X509 CodeBuild Project for Limbo Report Generation (#2171) > Add msl to ARMConstantTweak and recognise ldrsw to prevent delocator errors (#2177) > Remove DEPENDS from add_custom_command as CMake made the behavior clear (#2178) > Update BORINGSSL_FIPS_abort to AWS_LC_FIPS_failure which takes a message (#2182) > Fix Nginx build (#2181) > Add EVP API Support for ED25519ph (#2144) > Update benchmark to skip chunk sizes that doesn't work with the algorithm (#2146) > Add new CAST tests to break-kat.go (#2173) > Migrate 2nd batch of CI jobs (#2091) > Ensure enabling local symbols doesn't change the module hash (#2169) > Move PQDSA to FIPSMODULE (#2166) > Ensure service indicator is incremented only once, update RSA and ED25519 to ensure the state is locked (#2112) > CAST and PCT for ML-DSA (#2148) > Validate or define ARM HWCAP2_XXX macros (#2164) > Prepare AWS-LC v1.45.0 (#2172) > Wrap pointers to s2n-bignum functions - delocator fix (#2165) > ML-DSA private keys from seeds (#2157) > SHA3 and SHAKE - New API Design (#2098) > Add support for PKCS12_set_mac (#2128) > Fix policy grant on ECR resource policy (#2159) > Cross library PQ interop test with s2n-tls (#2138) Submodule mountpoint-s3-crt-sys/crt/s2n-tls 6cc9f53d..4ed4f1a6: > tests: try to make s2n_mem_usage_test more useful (#5139) > chore: git-blame-ignore ruff formatting (#5151) > chore(bindings): change in rustup behavior (#5160) > refactor: remove unused prf hmac impls (#5148) > chore(ci): make the awslc fips install script version aware (#5100) > fix: memory leak during STEK rotation (#5146) > refactor: add alternative EVP signing method (#5141) > refactor: cleanup prf header (#5144) > feat(bindings): expose context on cert chain (#5132) > Ruff Formatting and add to CI (#5138) > chore(nix): Add aws-lc-fips 2022/4 (#5109) > test(integv2): fixes to allow test_record_padding to partially run (#5099) > build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap in the all-cargo-updates group across 1 directory (#5087) > tests: use sig schemes as source of truth for valid hash+sig algs (#5129) > ci: always set values for command line defines (#5126) > fix: update callback return value (#5136) > refactor: always use EVP hashing (#5121) > ci: add check for third-party-src in disable rand override buildspec (#5137) > feat: add async cert validation support (#5110) > chore: remove unused well-known-endpoints.py (#5127) > fix(bindings): remove mutation behind Arc (#5124) > chore: binding release 0.3.12 (#5128) > refactor: use EVP_MD_fetch() if available (#5116) > feat: Option to disable RAND engine override (#5108) > fix(bindings): make Context borrow immutable (#5071) > build(deps): update rand requirement (#5125) > chore: fix a typo in API comments (#5123) > bindings: unpin openssl crate from a specific patch version (#5120) > refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h (#5117) > Add new security policy (20250211) (#5111) > Revert "refactor: remove unused evp support for md5+sha1 (#5106)" (#5118) > ci: add default provider to openssl-3.0-fips (#5114) > fix: don't enable custom random for openssl fips (#5093) > fix: allow b64 decoding using libcrypto for sidechannel resistance (#5103) > refactor: remove unused evp support for md5+sha1 (#5106) > refactor: remove s2n_hmac_is_available (#5104) > build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 in /.github/workflows in the all-gha-updates group across 1 directory (#5107) > fix(integrationv2): Skip unsupported client auth tests (#5096) > chore: bindings release 0.3.11 (#5098) > chore: ktls buildspec (#5083) > Fixed formatting for debugging statements (#5094) > feat(bindings): add external psk apis (#5061) > test: add minimal openssl-3.0-fips test (#5081) > fix(ci): Allow validate_start_codebuild to run on pushes to main (#5080) > fix: don't use DEPENDS with add_custom_command(TARGET) (#5074) > fix: error for uninit psk, check for all-zero psk (#5084) > fix: calculation of session ticket age (#5001) > fix: add support for `S2N_INTERN_LIBCRYPTO` with FetchContent (#5076) > fix(integration): Update PQ integration test expectations (#5082) > ci: fix dependabot, commit & check Cargo.toml (#5065) > docs(s2n-tls-hyper): Add hyper client/server example (#5069) > docs(integv2): add architecture diagram (#5072) > fix(bindings): prevent temp connection free after panic (#5067) > ci: Emit benchmark metrics from scheduled runs (#5064) > ci: change rust-toolchain format to toml (#5070) > Revert "ci: remove openssl-1.0.2-fips builds (#4995)" (#5060) > feat(bench): impl into for base config type (#5056) > refactor: cleanup CBMC proofs after #5048 (#5058) > ci: Adding integ tests back to integv2 (#5054) > refactor: remove openssl-1.0.2-fips 'allow md5' logic (#5048) > ci: pin duvet version (#5057) > build(deps): bump cross-platform-actions/action from 0.26.0 to 0.27.0 in /.github/workflows in the all-gha-updates group (#5053) > chore: fix typos (#5052) > chore: bump osx Openssl to latest (#5041) > chore: bindings release for 0.3.10 (#5046) > fix: initial config should not influence sslv2 (#4987) > ci: add openssl-3.0-fips builds (#5037) > Add Security Policy Deprecation API (#5034) > docs: add C / s2n-tls-sys doc references to s2n-tls docs (#5012) > test: add sslv2 client hello test w/ jvm (#5019) > ci: add timeout for cbmc proof (#5038) > fix(bindings): Specify correct minimum versions (#5028) ``` </details> ## Does this change impact existing behavior? Nothing expected. ## Does this change need a changelog entry in any of the crates? Updated --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and I agree to the terms of the [Developer Certificate of Origin (DCO)](https://developercertificate.org/). Signed-off-by: Burak Varlı <[email protected]>
|
Hey @pawalt, we bumped CRT submodules and the fix will be included in the next Mountpoint release. |
|
@unexge thanks so much :) we're looking forward to pulling this in |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Mountpoint for Amazon S3 version
mount-s3 1.13.0
AWS Region
No response
Describe the running environment
I am mounting a directory stored in the MinIO S3-compatible storage service running locally in a docker container.
I am setting
AWS_WEB_IDENTITY_TOKEN_FILE,AWS_ROLE_SESSION_NAME, andAWS_ROLE_ARNto use OIDC for authentication.I have verified that the credentials I am providing are valid through:
The command above succeeds.
Mountpoint options
What happened?
CRT debug logs:
mountpoint-s3-2024-12-17T17-09-47Z.4h5iTP.log
It claims that the STS web identity path responds with 400 bad request. However, I don't understand this for two reasons
Relevant log output
mountpoint-s3-2024-12-17T17-09-47Z.4h5iTP.log
The text was updated successfully, but these errors were encountered: