if err != nil {
		return c, err
	}

	for _, cfgName := range openIDTargets {
		getCfgVal := func(cfgParam string) string {
			// As parameters are already validated, we skip checking
			// if the config param was found.
			val, _, _ := s.ResolveConfigParam(config.IdentityOpenIDSubSys, cfgName, cfgParam, false)
			return val
		}

		err = errors.New("invalid ARN - bad partition field")
		return
	}

	if ps[2] != string(arnServiceIAM) {
		err = errors.New("invalid ARN - bad service field")
		return
	}

	// ps[3] is region and is not validated here. If the region is invalid,
	// the ARN would not match any configured ARNs in the server.
	if ps[4] != "" {
		err = errors.New("invalid ARN - unsupported account-id field")
		return
	}

```Python hl_lines="1  18"
{!../../docs_src/response_directly/tutorial002.py!}
```

## Notes

When you return a `Response` directly its data is not validated, converted (serialized), nor documented automatically.

But you can still document it as described in [Additional Responses in OpenAPI](additional-responses.md){.internal-link target=_blank}.

      Entry<K, V> entryCopy = mapEntry(entry.getKey(), entry.getValue());

      iterator.remove();
      assertEquals(initialSize - 1, map.size());

      // Use "entryCopy" instead of "entry" because "entry" might be invalidated after
      // iterator.remove().
      assertFalse(entrySet.contains(entryCopy));
      assertInvariants(map);
      assertThrows(IllegalStateException.class, () -> iterator.remove());
    } else {

    internal var minFreshSeconds = -1
    internal var onlyIfCached: Boolean = false
    internal var noTransform: Boolean = false
    internal var immutable: Boolean = false

    /** Don't accept an unvalidated cached response. */
    fun noCache() = commonNoCache()

    /** Don't store the server's response in any cache. */
    fun noStore() = commonNoStore()

    /**

/**
 * A semi-persistent mapping from keys to values. Cache entries are manually added using {@link
 * #get(Object, Callable)} or {@link #put(Object, Object)}, and are stored in the cache until either
 * evicted or manually invalidated. The common way to build instances is using {@link CacheBuilder}.
 *
 * <p>Implementations of this interface are expected to be thread-safe, and can be safely accessed
 * by multiple concurrent threads.
 *

  optional ParamRef paramRef = 2;

  // MatchResources declares what resources match this binding and will be validated by it.
  // Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
  // If this is unset, all resources matched by the policy are validated by this binding

```
λ make verify-healing
```

At this point in time the backport is ready to be submitted as a pull request to the relevant branch. A pull request is recommended to ensure [mint](http://github.com/minio/mint) tests are validated. Pull request also ensures code-reviews for the backports in case of any unforeseen regressions.

### Building a hotfix binary and container

AssumeRoleWithClientGrants does not require the use of MinIO default credentials. Therefore, client application can be distributed that requests temporary security credentials without including MinIO default credentials. Instead, the identity of the caller is validated by using a JWT access token from the identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls...

	args := Args{}

	if err := s.CheckValidKeys(config.PolicyPluginSubSys, nil); err != nil {
		return args, err
	}

	getCfg := func(cfgParam string) string {
		// As parameters are already validated, we skip checking
		// if the config param was found.
		val, _, _ := s.ResolveConfigParam(config.PolicyPluginSubSys, config.Default, cfgParam, false)
		return val
	}

	pluginURL := getCfg(URL)