version stack for obj-1
		v2 uuid-2 modTime -3m objRetentionMeta
	*/
	lrObjInfos := slices.Clone(objInfos)
	lrObjInfos[3].UserDefined = objRetentionMeta
	var lrWants []ObjectInfo
	lrWants = append(lrWants, lrObjInfos[:4]...)

	/*
		replObjInfos: objInfos with following modifications
		version stack for obj-1
		v1 uuid-1 modTime -4m	"VersionPurgeStatus: replication.VersionPurgePending"
	*/

## Introduction

Returns a set of temporary security credentials for applications/clients who have been authenticated through client credential grants provided by identity provider. Example providers include KeyCloak, Okta etc.

}
```

These credentials can now be used to perform MinIO API operations, these credentials automatically expire in 1hr. To understand more about credential expiry duration and client grants STS API read further [here](https://github.com/minio/minio/blob/master/docs/sts/client-grants.md).

## Explore Further

- [MinIO STS Quickstart Guide](https://docs.min.io/community/minio-object-store/developers/security-token-service.html)

### 4. Test with MinIO STS API

Once etcd is configured, **any STS configuration** will work including Client Grants, Web Identity or AD/LDAP.

     */
    int getTransactionBufferSize();

    /**
     * Gets the number of initial credits granted by the server for SMB2.
     *
     * @return number of initial credits the server grants
     */
    int getInitialCredits();

    /**
     * Checks whether a connection can be reused for the given configuration.
     *
     * @param tc the CIFS context to check compatibility with

	sts.AssumeRoleWithSSO(w, r)
}

// AssumeRoleWithClientGrants - implementation of AWS STS extension API supporting
// OAuth2.0 client credential grants.
//
// Eg:-
//
//	$ curl https://minio:9000/?Action=AssumeRoleWithClientGrants&Token=<jwt>
func (sts *stsAPIHandlers) AssumeRoleWithClientGrants(w http.ResponseWriter, r *http.Request) {
	sts.AssumeRoleWithSSO(w, r)

            }
        }
    ]
}`

	policyProjectsMap = map[string]string{
		// grants access to bucket `projecta` if user is in group `projecta`
		"projecta": policyProjectA,

		// grants access to bucket `projectb` if user is in group `projectb`
		"projectb": policyProjectB,

		// grants access to bucket `projectaorb` if user is in either group
		// `projecta` or `projectb`

	return strings.Join(policies, ","), policy.MergePolicies(toMerge...)
}

// GetBucketUsers - returns users (not STS or service accounts) that have access
// to the bucket. User is included even if a group policy that grants access to
// the bucket is disabled.
func (store *IAMStoreSys) GetBucketUsers(bucket string) (map[string]madmin.UserInfo, error) {
	if bucket == "" {
		return nil, errInvalidArgument
	}

  You can still access kubelet's `/healthz`, `/pods` and `/configz` by granting the caller `nodes/proxy` permission in RBAC but that also grants the caller permissions to exec, run and attach to containers on the nodes and doing so does not follow the least privilege principle. Granting callers more permissions than they need can give attackers an opportunity to escalate privileges. ([#12...