{ "sts": { "tokenDuration": "1h", "maxSessionLength": "12h", "issuer": "seaweedfs-sts", "signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc=" }, "providers": [ { "name": "test-oidc", "type": "mock", "config": { "issuer": "test-oidc-issuer", "clientId": "test-oidc-client" } }, { "name": "keycloak", "type": "oidc", "enabled": true, "config": { "issuer": "http://localhost:8080/realms/seaweedfs-test", "clientId": "seaweedfs-s3", "clientSecret": "seaweedfs-s3-secret", "jwksUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/certs", "userInfoUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/userinfo", "scopes": ["openid", "profile", "email"], "claimsMapping": { "username": "preferred_username", "email": "email", "name": "name" }, "roleMapping": { "rules": [ { "claim": "roles", "value": "s3-admin", "role": "arn:seaweed:iam::role/KeycloakAdminRole" }, { "claim": "roles", "value": "s3-read-only", "role": "arn:seaweed:iam::role/KeycloakReadOnlyRole" }, { "claim": "roles", "value": "s3-write-only", "role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole" }, { "claim": "roles", "value": "s3-read-write", "role": "arn:seaweed:iam::role/KeycloakReadWriteRole" } ], "defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole" } } } ], "policy": { "defaultEffect": "Deny" }, "roles": [ { "roleName": "TestAdminRole", "roleArn": "arn:seaweed:iam::role/TestAdminRole", "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "test-oidc" }, "Action": ["sts:AssumeRoleWithWebIdentity"] } ] }, "attachedPolicies": ["S3AdminPolicy"], "description": "Admin role for testing" }, { "roleName": "TestReadOnlyRole", "roleArn": "arn:seaweed:iam::role/TestReadOnlyRole", "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "test-oidc" }, "Action": ["sts:AssumeRoleWithWebIdentity"] } ] }, "attachedPolicies": ["S3ReadOnlyPolicy"], "description": "Read-only role for testing" }, { "roleName": "TestWriteOnlyRole", "roleArn": "arn:seaweed:iam::role/TestWriteOnlyRole", "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "test-oidc" }, "Action": ["sts:AssumeRoleWithWebIdentity"] } ] }, "attachedPolicies": ["S3WriteOnlyPolicy"], "description": "Write-only role for testing" }, { "roleName": "KeycloakAdminRole", "roleArn": "arn:seaweed:iam::role/KeycloakAdminRole", "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "keycloak" }, "Action": ["sts:AssumeRoleWithWebIdentity"] } ] }, "attachedPolicies": ["S3AdminPolicy"], "description": "Admin role for Keycloak users" }, { "roleName": "KeycloakReadOnlyRole", "roleArn": "arn:seaweed:iam::role/KeycloakReadOnlyRole", "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "keycloak" }, "Action": ["sts:AssumeRoleWithWebIdentity"] } ] }, "attachedPolicies": ["S3ReadOnlyPolicy"], "description": "Read-only role for Keycloak users" }, { "roleName": "KeycloakWriteOnlyRole", "roleArn": "arn:seaweed:iam::role/KeycloakWriteOnlyRole", "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "keycloak" }, "Action": ["sts:AssumeRoleWithWebIdentity"] } ] }, "attachedPolicies": ["S3WriteOnlyPolicy"], "description": "Write-only role for Keycloak users" }, { "roleName": "KeycloakReadWriteRole", "roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole", "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "keycloak" }, "Action": ["sts:AssumeRoleWithWebIdentity"] } ] }, "attachedPolicies": ["S3ReadWritePolicy"], "description": "Read-write role for Keycloak users" } ], "policies": [ { "name": "S3AdminPolicy", "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:*"], "Resource": ["*"] }, { "Effect": "Allow", "Action": ["sts:ValidateSession"], "Resource": ["*"] } ] } }, { "name": "S3ReadOnlyPolicy", "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ] }, { "Effect": "Allow", "Action": ["sts:ValidateSession"], "Resource": ["*"] } ] } }, { "name": "S3WriteOnlyPolicy", "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ] }, { "Effect": "Deny", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ] }, { "Effect": "Allow", "Action": ["sts:ValidateSession"], "Resource": ["*"] } ] } }, { "name": "S3ReadWritePolicy", "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ] }, { "Effect": "Allow", "Action": ["sts:ValidateSession"], "Resource": ["*"] } ] } } ] }