return psv, ErrInvalidQuerySignatureAlgo
	}

	// Initialize signature version '4' structured header.
	preSignV4Values := preSignValues{}

	// Save credential.
	preSignV4Values.Credential, aec = parseCredentialHeader("Credential="+query.Get(xhttp.AmzCredential), region, stype)
	if aec != ErrNone {
		return psv, aec
	}

	var e error
	// Save date in native time.Time.

		ccred          Credentials
		expectedResult bool
	}{
		// Same Credentialss.
		{cred, cred, true},
		// Empty credentials to compare.
		{cred, Credentials{}, false},
		// Empty credentials.
		{Credentials{}, cred, false},
		// Two different credentialss
		{cred, cred2, false},
		// Access key is different in credentials to compare.
		{cred, Credentials{AccessKey: "myuser", SecretKey: cred.SecretKey}, false},

                                          preload_content=True,
                                          )
            if response.status != 200:
                message = "Credential refresh failed, response: %s"
                raise CredentialRetrievalError(
                    provider=method,
                    error_msg=message % response.status,
                )

	"time"

	"github.com/minio/minio-go/v7"
	cr "github.com/minio/minio-go/v7/pkg/credentials"
)

var (
	// LDAP integrated Minio endpoint
	stsEndpoint string

	// token to use with AssumeRoleWithCustomToken
	token string

	// Role ARN to use
	roleArn string

	// Display credentials flag
	displayCreds bool

	// Credential expiry duration
	expiryDuration time.Duration

	// Bucket to list

	)

	ErrInvalidRootUserCredentials = newErrFn(
		"Invalid credentials",
		"Please provide correct credentials",
		EnvRootUser+` length should be at least 3, and `+EnvRootPassword+` length at least 8 characters`,
	)

	ErrMissingEnvCredentialRootUser = newErrFn(
		"Missing credential environment variable, \""+EnvRootUser+"\"",
		"Environment variable \""+EnvRootUser+"\" is missing",

type serverConfigV33 struct {
	quick.Config `json:"-"` // ignore interfaces

	Version string `json:"version"`

	// S3 API configuration.
	Credential auth.Credentials `json:"credential"`
	Region     string           `json:"region"`
	Worm       config.BoolFlag  `json:"worm"`

	// Storage class configuration
	StorageClass storageclass.Config `json:"storageclass"`

	"github.com/minio/madmin-go/v3"
	"github.com/minio/minio-go/v7"
	cr "github.com/minio/minio-go/v7/pkg/credentials"
)

var (
	// Minio endpoint (for STS API)
	stsEndpoint string

	// User account credentials
	minioUsername string
	minioPassword string

	// Display credentials flag
	displayCreds bool

	// Credential expiry duration
	expiryDuration time.Duration

	// Bucket to list
	bucketToList string

	}

	if conf.IsSPEnabled() {
		credential, err := azidentity.NewClientSecretCredential(conf.SPAuth.TenantID, conf.SPAuth.ClientID, conf.SPAuth.ClientSecret, &azidentity.ClientSecretCredentialOptions{})
		if err != nil {
			return nil, err
		}
		return azblob.NewClient(ep, credential, &azblob.ClientOptions{})
	}
	credential, err := azblob.NewSharedKeyCredential(conf.AccountName, conf.AccountKey)

sleep 5

# Generate STS credential with STS call to minio1
STS_CRED=$(MINIO_ENDPOINT=http://localhost:9001 go run ./docs/site-replication/gen-oidc-sts-cred.go)

MC_HOST_foo=http://${STS_CRED}@localhost:9001 ./mc ls foo
if [ $? -ne 0 ]; then
	echo "Expected sts credential to work, exiting.."
	exit_1
fi

sleep 2

# Check that the STS credential works on minio2 and minio3.

		"s3:GetObject",
		"s3:PutObject"
	  ],
	  "Effect": "Allow",
	  "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
	}
  ]
}
```

If the user is authenticating using an STS credential which was authorized from OpenID connect we allow all `jwt:*` variables specified in the JWT specification, custom `jwt:*` or extensions are not supported. List of policy variables for OpenID based STS.

- `jwt:sub`
- `jwt:iss`