continue // skip if not the type we want
		}
		arn, ok := accessKey.Claims[roleArnClaim].(string)
		if !ok {
			if _, ok := accessKey.Claims[iamPolicyClaimNameOpenID()]; !ok {
				continue // skip if no roleArn and no policy claim
			}
			// claim-based provider is in the roleArnMap under dummy ARN
			arn = dummyRoleARN
		}
		matchingCfgName, ok := roleArnMap[arn]
		if !ok {

> NOTE: If you are using a mc version below `RELEASE.2022-12-24T15-21-38Z`, the --remote-bucket flag needs an ARN generated by `mc admin bucket remote add` command. For  mc versions RELEASE.2021-09-02T09-21-27Z and older, the remote target ARN needs to be passed in the --arn flag and actual remote bucket name in --remote-bucket flag of  `mc replicate add`. For example, in older releases of mc replication configuration used to be added with:

```

    @Test
    public void test_addErrorsInvalidKuromojiSegmentation() {
        String property = "testProperty";
        String arg0 = "token1";
        String arg1 = "token2";
        FessMessages result = messages.addErrorsInvalidKuromojiSegmentation(property, arg0, arg1);
        assertNotNull(result);
        assertSame(messages, result);
        assertTrue(messages.hasMessageOf(property));
    }

    @Test

(uint64(arg1[17]) << 8) x16 := arg1[16] x17 := (uint64(arg1[15]) << 56) x18 := (uint64(arg1[14]) << 48) x19 := (uint64(arg1[13]) << 40) x20 := (uint64(arg1[12]) << 32) x21 := (uint64(arg1[11]) << 24) x22 := (uint64(arg1[10]) << 16) x23 := (uint64(arg1[9]) << 8) x24 := arg1[8] x25 := (uint64(arg1[7]) << 56) x26 := (uint64(arg1[6]) << 48) x27 := (uint64(arg1[5]) << 40) x28 := (uint64(arg1[4]) << 32) x29 := (uint64(arg1[3]) << 24) x30 := (uint64(arg1[2]) << 16) x31 := (uint64(arg1[1]) << 8) x32 := arg1[0]...

     * @see jcifs.smb.SSPContext#isSupported(org.bouncycastle.asn1.ASN1ObjectIdentifier)
     */
    @Override
    public boolean isSupported(ASN1ObjectIdentifier mechanism) {
        return KRB5_MECH_OID.equals(mechanism) || KRB5_MS_MECH_OID.equals(mechanism);
    }

    /**
     * {@inheritDoc}
     *
     * @see jcifs.smb.SSPContext#isPreferredMech(org.bouncycastle.asn1.ASN1ObjectIdentifier)
     */
    @Override

			sameTarget:            false,
			expectedParsingErr:    fmt.Errorf("invalid destination '%v'", "destinationbucket2"),
			expectedValidationErr: nil,
		},
		// 13 missing role in config and destination ARN has target ARN
		{

After configuring the plugin, use the generated Role ARN with `AssumeRoleWithCustomToken` to get temporary credentials to access object storage.

## API Request

To make an STS API request with this method, send a POST request to the MinIO endpoint with following query parameters:

<%@page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"%>
<div class="row">
	<div class="col-sm-2">
		<la:message key="labels.pagination_page_guide_msg"
			arg0="${f:h(pager.currentPageNumber)}"
			arg1="${f:h(pager.allPageCount)}"
			arg2="${f:h(pager.allRecordCount)}" />
	</div>
	<nav aria-label="...">
	</nav>
	<div class="col-sm-10">
		<ul class="pagination pagination-sm m-0 float-right">
			<c:if test="${pager.existPrePage}">

variables in the *Resource* element and in string comparisons in the *Condition* element.

You can use a policy variable in the Resource element, but only in the resource portion of the ARN. This portion of the ARN appears after the 5th colon (:). You can't use a variable to replace parts of the ARN before the 5th colon, such as the service or account. The following policy might be attached to a group. It gives each of the users in the group full programmatic access to a user-specific object...

MINIO_IDENTITY_PLUGIN_ROLE_ID       (string)    unique ID to generate the ARN
MINIO_IDENTITY_PLUGIN_COMMENT       (sentence)  optionally add a comment to this setting
```

If provided, the auth token parameter is sent as an authorization header.

`MINIO_IDENTITY_PLUGIN_ROLE_POLICY` is a required parameter and can be list of comma separated policy names.