## Configuration

Access Management Plugin can be configured with environment variables:

```sh
$ mc admin config set myminio policy_plugin --env
KEY:
policy_plugin  enable Access Management Plugin for policy enforcement

ARGS:
MINIO_POLICY_PLUGIN_URL*          (url)       plugin hook endpoint (HTTP(S)) e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"

```sh
$ mc admin config set myminio identity_plugin --env
KEY:
identity_plugin  enable Identity Plugin via external hook

ARGS:
MINIO_IDENTITY_PLUGIN_URL*          (url)       plugin hook endpoint (HTTP(S)) e.g. "http://localhost:8181/path/to/endpoint"
MINIO_IDENTITY_PLUGIN_AUTH_TOKEN    (string)    authorization token for plugin hook endpoint
MINIO_IDENTITY_PLUGIN_ROLE_POLICY*  (string)    policies to apply for plugin authorized users

Aditya Manthramurthy <******@****.***> 1707412520 -0800

Aditya Manthramurthy <******@****.***> 1714599073 -0700

## Introduction

To integrate with custom authentication methods using the [Identity Management Plugin](../iam/identity-management-plugin.md)), MinIO provides an STS API extension called `AssumeRoleWithCustomToken`.

After configuring the plugin, use the generated Role ARN with `AssumeRoleWithCustomToken` to get temporary credentials to access object storage.

## API Request

	pluginAuthnServiceFailedRequestsMinute = "plugin_authn_service_failed_requests_minute"
	pluginAuthnServiceLastFailSeconds      = "plugin_authn_service_last_fail_seconds"
	pluginAuthnServiceLastSuccSeconds      = "plugin_authn_service_last_succ_seconds"
	pluginAuthnServiceSuccAvgRttMsMinute   = "plugin_authn_service_succ_avg_rtt_ms_minute"
	pluginAuthnServiceSuccMaxRttMsMinute   = "plugin_authn_service_succ_max_rtt_ms_minute"

package plugin

import "github.com/minio/minio/internal/config"

// Help template for Access Management Plugin policy feature.
var (
	defaultHelpPostfix = func(key string) string {
		return config.DefaultHelpPostfix(DefaultKVS, key)
	}

	Help = config.HelpKVS{
		config.HelpKV{
			Key:         URL,

	EnableHTTP2 = "enable_http2"

	EnvPolicyPluginURL         = "MINIO_POLICY_PLUGIN_URL"
	EnvPolicyPluginAuthToken   = "MINIO_POLICY_PLUGIN_AUTH_TOKEN"
	EnvPolicyPluginEnableHTTP2 = "MINIO_POLICY_PLUGIN_ENABLE_HTTP2"
)

// DefaultKVS - default config for Authz plugin config
var (
	DefaultKVS = config.KVS{
		config.KV{
			Key:   URL,
			Value: "",
		},
		config.KV{
			Key:   AuthToken,
			Value: "",
		},
		config.KV{

          make test-iam
      - name: Test with Access Management Plugin enabled
        env:
          _MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
          _MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }}
          _MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }}
          _MINIO_POLICY_PLUGIN_TEST_ENDPOINT: "http://127.0.0.1:8080"
        run: |
          sudo sysctl net.ipv6.conf.all.disable_ipv6=0

## Scope

- All IAM Credentials are allowed access excluding rotating credentials, rotating credentials
  are not allowed to login via FTP/SFTP ports, you must use S3 API port for if you are using
  rotating credentials.

- Access to bucket(s) and object(s) are governed via IAM policies associated with the incoming
  login credentials.

- Allows authentication and access for all
  - Built-in IDP users and their respective service accounts