guangwu <******@****.***> 1712938195 +0800

        "Expiration": "2019-02-20T19:56:59-08:00",
        "AccessKeyId": "K9DTIMUVZXEXJL3ATUOY"
    }
}
```

### Testing an example with `assume-role.go`

The included program in this directory can also be used for testing:

``` shell
$ go run assume-role.go -u foobar -p foo12345 -d
Only displaying credentials:
AccessKeyID: 27YDRYEM0S9B44AJJX9X
SecretAccessKey: LHPdHeaLiYk+pDZ3hgN3sdwXpJC2qbhBfZ8ii9Z3

	mc admin cluster iam export old-minio
	set +x

	mc admin service stop old-minio
}

import_iam_content_in_new_minio() {
	echo "Importing IAM content in new minio instance."
	# Assume current minio binary exists.
	MINIO_CI_CD=1 ./minio server /tmp/data/{1...4} &
	sleep 5

	set -x
	mc alias set new-minio http://localhost:9000 minioadmin minioadmin
	echo "BEFORE IMPORT mappings:"

class ClientGrantsCredentialProvider(CredentialProvider):
    """
    ClientGrantsCredentialProvider implements CredentialProvider compatible
    implementation to be used with boto_session
    """
    METHOD = 'assume-role-client-grants'
    CANONICAL_NAME = 'AssumeRoleClientGrants'

    def __init__(self, cid, csec,
                 idp_ep='http://localhost:8080/auth/realms/minio/protocol/openid-connect/token',

			// Expect header is always of form:
			//
			//   Expect       =  "Expect" ":" 1#expectation
			//   expectation  =  "100-continue" | expectation-extension
			//
			// So it safe to assume that '100-continue' is what would
			// be sent, for the time being keep this work around.
			// Adding a *TODO* to remove this later when Golang server
			// doesn't filter out the 'Expect' header.

**Note**: On distributed systems, root credentials are recommend to be defined by exporting the `MINIO_ROOT_USER` and  `MINIO_ROOT_PASSWORD` environment variables. If no value is set MinIO setup will assume `minioadmin/minioadmin` as default credentials. If a domain is required, it must be specified by defining and exporting the `MINIO_DOMAIN` environment variable.

## Cloud Scale Deployment

		}
	}

	r := &Reader{
		args:       args,
		buf:        bufio.NewReaderSize(csvIn, csvSplitSize*2),
		readCloser: readCloser,
		close:      make(chan struct{}),
	}

	// Assume args are validated by ReaderArgs.UnmarshalXML()
	newCsvReader := func(r io.Reader) *csv.Reader {
		ret := csv.NewReader(r)
		ret.Comma = []rune(args.FieldDelimiter)[0]
		ret.Comment = []rune(args.CommentCharacter)[0]

1.
2.
3.
4.

## Context
<!--- How has this issue affected you? What are you trying to accomplish? -->
<!--- Providing context helps us come up with a solution that is most useful in the real world -->

## Regression
<!-- Is this issue a regression? (Yes / No) -->

| [**AssumeRole**](https://github.com/minio/minio/blob/master/docs/sts/assume-role.md)   | Let MinIO users request temporary credentials using user access and secret keys.                                                              |

### Understanding JWT Claims

- All features currently used by your buckets will work as is without any changes
  - SSE (Server Side Encryption)
  - Replication (Server Side Replication)

## Prerequisites

- It is assumed you have users created and configured with relevant access policies, to start with
  use basic "readwrite" canned policy to test all the operations before you finalize on what level
  of restrictions are needed for a user.