// The ARN of the temporary security credentials that are returned from the
	// AssumeRole action. For more information about ARNs and how to use them in
	// policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
	// in Using IAM.
	//
	// Arn is a required field
	Arn string

	// A unique identifier that contains the role ID and the role session name of

OPA is enabled through MinIO's Access Management Plugin feature.

## Get started

### 1. Start OPA in a container

```sh
podman run -it \
    --name opa \
    --publish 8181:8181 \

package opa

import (
	"github.com/minio/minio/internal/config"
)

// Legacy OPA envs
const (
	EnvIamOpaURL       = "MINIO_IAM_OPA_URL"
	EnvIamOpaAuthToken = "MINIO_IAM_OPA_AUTHTOKEN"
)

// SetPolicyOPAConfig - One time migration code needed, for migrating from older config to new for PolicyOPAConfig.
func SetPolicyOPAConfig(s config.Config, opaArgs Args) {

Date:   Sat Jun 15 11:27:17 2019 -0700

    [security] Match ${aws:username} exactly instead of prefix match (#7791)

    This PR fixes a security issue where an IAM user based
    on his policy is granted more privileges than restricted
    by the users IAM policy.

    This is due to an issue of prefix based Matcher() function
    which was incorrectly matching prefix based on resource
    prefixes instead of exact match.
```

  unencrypted FTP communication (Not-recommended)

## Scope

- All IAM Credentials are allowed access excluding rotating credentials, rotating credentials
  are not allowed to login via FTP/SFTP ports, you must use S3 API port for if you are using
  rotating credentials.

- Access to bucket(s) and object(s) are governed via IAM policies associated with the incoming
  login credentials.

| `minio_node_iam_sync_failures`             | Number of failed IAM data syncs since server start.         |
| `minio_node_iam_sync_successes`            | Number of successful IAM data syncs since server start.     |

## Information Lifecycle Management (ILM) Metrics

		return nil, errors.New("no bucket name was provided")
	}

	// Credentials initialization
	var creds *credentials.Credentials
	switch {
	case conf.AWSRole:
		creds = credentials.New(&credentials.IAM{
			Client: &http.Client{
				Transport: NewHTTPTransport(),
			},
		})
	case conf.AWSRoleWebIdentityTokenFile != "" && conf.AWSRoleARN != "":
		sessionName := conf.AWSRoleSessionName
		if sessionName == "" {

- Creation and deletion of buckets and objects
- Creation and deletion of all IAM users, groups, policies and their mappings to users or groups
- Creation of STS credentials
- Creation and deletion of service accounts (except those owned by the root user)
- Changes to Bucket features such as:
  - Bucket Policies

	if len(valSet) > 1 {
		// mismatch - one or more sites has differing tags/policy
		return false
	}
	return true
}

// isIAMPolicyReplicated returns true if count of replicated IAM policies matches total
// number of sites and IAM policies are identical.
func isIAMPolicyReplicated(cntReplicated, total int, policies []*policy.Policy) bool {
	if cntReplicated > 0 && cntReplicated != total {
		return false
	}

			Sensitive:   true,
			Type:        "string",
			Secret:      true,
		},
		config.HelpKV{
			Key:         RolePolicy,
			Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"` + defaultHelpPostfix(RolePolicy),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{