data        []byte
		expectedARN *ARN
		expectErr   bool
	}{
		{[]byte("<ARN></ARN>"), nil, true},
		{[]byte("<ARN>arn:minio:sqs:::</ARN>"), nil, true},
		{[]byte("<ARN>arn:minio:sqs::1:webhook</ARN>"), &ARN{TargetID{"1", "webhook"}, ""}, false},
		{[]byte("<ARN>arn:minio:sqs:us-east-1:1:webhook</ARN>"), &ARN{TargetID{"1", "webhook"}, "us-east-1"}, false},
	}

	for i, testCase := range testCases {
		arn := &ARN{}

func (q Queue) Validate(region string, targetList *TargetList) error {
	if q.ARN.region == "" {
		if !targetList.Exists(q.ARN.TargetID) {
			return &ErrARNNotFound{q.ARN}
		}
		return nil
	}

	if region != "" && q.ARN.region != region {
		return &ErrUnknownRegion{q.ARN.region}
	}

	if !targetList.Exists(q.ARN.TargetID) {
		return &ErrARNNotFound{q.ARN}
	}

	return nil
}

	if update {
		ops = madmin.GetTargetUpdateOps(r.Form)
	} else {
		var exists bool // true if arn exists
		target.Arn, exists = globalBucketTargetSys.getRemoteARN(bucket, &target, "")
		if exists && target.Arn != "" { // return pre-existing ARN
			data, err := json.Marshal(target.Arn)
			if err != nil {
				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
				return
			}

./mc mb -l sitec/olockbucket

echo "adding replication rule for a -> b : ${remote_arn}"
sleep 1
./mc replicate add sitea/bucket/ \
	--remote-bucket http://minio:minio123@127.0.0.1:9004/bucket \
	--replicate "existing-objects,delete,delete-marker,replica-metadata-sync"
sleep 1

echo "adding replication rule for b -> a : ${remote_arn}"
./mc replicate add siteb/bucket/ \
	--remote-bucket http://minio:minio123@127.0.0.1:9001/bucket \

		XMLNS: xmlNS,
		XMLName: xml.Name{
			Local: "ServerSideEncryptionConfiguration",
		},
		Rules: []Rule{
			{
				DefaultEncryptionAction: EncryptionAction{
					Algorithm:   AWSKms,
					MasterKeyID: "arn:aws:kms:my-minio-key",
				},
			},
		},
	}

	testCases := []struct {
		inputXML       string
		keyID          string
		expectedErr    error
		shouldPass     bool
		expectedConfig *BucketSSEConfig

MINIO_IDENTITY_PLUGIN_ROLE_ID       (string)    unique ID to generate the ARN
MINIO_IDENTITY_PLUGIN_COMMENT       (sentence)  optionally add a comment to this setting
```

If provided, the auth token parameter is sent as an authorization header.

`MINIO_IDENTITY_PLUGIN_ROLE_POLICY` is a required parameter and can be list of comma separated policy names.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::${ldap:username}/*"
      ]
    }
  ]

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["admin:*"]},{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::*"]}]}...

type AssumedRoleUser struct {
	// The ARN of the temporary security credentials that are returned from the
	// AssumeRole action. For more information about ARNs and how to use them in
	// policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
	// in Using IAM.
	//
	// Arn is a required field
	Arn string

	}

	oidcToken, err := cmd.MockOpenIDTestUserInteraction(ctx, appParams, "******@****.***", "dillon")
	if err != nil {
		log.Fatalf("Failed to generate OIDC token: %v", err)
	}

	roleARN := os.Getenv("ROLE_ARN")
	webID := cr.STSWebIdentity{
		Client:      &http.Client{},
		STSEndpoint: endpoint,
		GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
			return &cr.WebIdentityToken{
				Token: oidcToken,
			}, nil