```
{
  "Version": "2012-10-17",
  "Statement": [
	{
	  "Action": ["s3:ListBucket"],
	  "Effect": "Allow",
	  "Resource": ["arn:aws:s3:::mybucket"],
	  "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
	},
	{
	  "Action": [
		"s3:GetObject",
		"s3:PutObject"
	  ],
	  "Effect": "Allow",

| `minio_node_ilm_action_count_transition_action`              | Total action outcome of lifecycle checks since server start for transition of an object                    |
| `minio_node_ilm_action_count_transition_version_action`      | Total action outcome of lifecycle checks since server start for transition of a particular object version  |

| Parameter       | Type    | Required |                                                                      |
|-----------------|---------|----------|----------------------------------------------------------------------|
| Action          | String  | Yes      | Value must be `AssumeRoleWithCustomToken`                         |
| Version         | String  | Yes      | Value must be `2011-06-15`                                           |

```
export MINIO_IDENTITY_TLS_ENABLE=on
```

## Example

MinIO exposes a custom S3 STS API endpoint as `Action=AssumeRoleWithCertificate`. A client has to send an HTTP `POST` request to `https://<host>:<port>?Action=AssumeRoleWithCertificate&Version=2011-06-15`. Since the authentication and authorization happens via X.509 certificates the client has to send the request over **TLS** and has to provide

```sh
cat > example.rego <<EOF
package httpapi.authz

import input

default allow = false

# Allow the root user to perform any action.
allow {
 input.owner == true
}

# All other users may do anything other than call PutObject
allow {
 input.action != "s3:PutObject"
 input.owner == false
}
EOF
```

Then load the policy via OPA's REST API.

```
curl -X PUT --data-binary @example.rego \

## Quickstart

To easily try out the feature, run the included demo Access Management Plugin program in this directory:

```sh
go run access-manager-plugin.go
```

This program, lets the admin user perform any action and prevents all other users from performing `s3:Put*` operations.

In another terminal start MinIO:

```sh
export MINIO_CI_CD=1
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123

```json
cat > adminManageUser.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "admin:CreateUser",
        "admin:DeleteUser",
        "admin:ConfigUpdate"
      ],
      "Effect": "Allow",
      "Sid": ""
    },
    {
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ],

## Sample `POST` Request

```
http://minio:9000/?Action=AssumeRole&DurationSeconds=3600&Version=2011-06-15&Policy={"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::*"}]}&AUTHPARAMS
```

## Sample Response

```
<?xml version="1.0" encoding="UTF-8"?>

```
{
 "Version": "2012-10-17",
 "Statement": [
  {
    "Action": [
        "admin:SetBucketTarget",
        "admin:GetBucketTarget"
    ],
    "Effect": "Allow",
    "Sid": ""
  },
  {
   "Effect": "Allow",
   "Action": [
    "s3:GetReplicationConfiguration",
    "s3:PutReplicationConfiguration",
    "s3:ListBucket",

```

```
~ mc admin policy create admin allaccess.json
```

Contents of `allaccess.json`

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}
```

### Visit <http://localhost:8080>