assertEquals(16, hash.length); // MD5 produces 128-bit hash
    }

    @Test
    @DisplayName("Should calculate HMAC-T64 correctly")
    void testHMACT64() {
        // Given
        byte[] key = "secret".getBytes();
        byte[] data = "Hello World".getBytes();

        // When
        MessageDigest hmac = Crypto.getHMACT64(key);
        byte[] result = hmac.digest(data);

        // Then

./mc mb --ignore-existing sitea/bucket
./mc mb --ignore-existing siteb/bucket

sleep 10s

## Add warm tier
./mc ilm tier add minio sitea WARM-TIER --endpoint http://localhost:9004 --access-key minioadmin --secret-key minioadmin --bucket bucket

## Add ILM rules
./mc ilm add sitea/bucket --transition-days 0 --transition-tier WARM-TIER
./mc ilm rule list sitea/bucket

./mc cp README.md sitea/bucket/README.md

ret=$?
if [ $ret -ne 0 ]; then
	echo "BUG: expected no missing entries after decommission: $out"
	exit 1
fi

./s3-check-md5 -versions -access-key minioadmin -secret-key minioadmin -endpoint http://127.0.0.1:9001/ -bucket versioned

	flag.StringVar(&idpEndpoint, "idp-ep", "http://localhost:8080/auth/realms/minio/protocol/openid-connect/token", "IDP token endpoint")
	flag.StringVar(&clientID, "cid", "", "Client ID")
	flag.StringVar(&clientSecret, "csec", "", "Client secret")
}

func getTokenExpiry() (*credentials.ClientGrantsToken, error) {
	data := url.Values{}
	data.Set("grant_type", "client_credentials")

        this.keyStorePassword = keyStorePassword != null ? keyStorePassword.clone() : null;
    }

    /**
     * Store a session key
     *
     * @param sessionId unique session identifier
     * @param key the secret key to store
     * @param algorithm the key algorithm (e.g., "AES")
     */
    public void storeSessionKey(String sessionId, byte[] key, String algorithm) {
        checkNotClosed();

		return nil, errors.New("both the token file and the role ARN are required")
	case conf.AccessKey == "" && conf.SecretKey != "" || conf.AccessKey != "" && conf.SecretKey == "":
		return nil, errors.New("both the access and secret keys are required")
	case conf.AWSRole && (conf.AWSRoleWebIdentityTokenFile != "" || conf.AWSRoleARN != "" || conf.AccessKey != "" || conf.SecretKey != ""):

    /**
     * Creates a new S3StorageClient instance.
     *
     * @param endpoint the S3 endpoint URL (null for AWS default)
     * @param accessKey the AWS access key
     * @param secretKey the AWS secret key
     * @param bucket the bucket name
     * @param region the AWS region
     */
    public S3StorageClient(final String endpoint, final String accessKey, final String secretKey, final String bucket,

   </ResponseMetadata>
</AssumeRoleWithCertificateResponse>
```

## Authentication Flow

A client can request temp. S3 credentials via the STS API. It can authenticate via a client certificate and obtain a access/secret key pair as well as a session token. These credentials are associated to an S3 policy at the MinIO server.

}

func newWarmBackendMinIO(conf madmin.TierMinIO, tier string) (*warmBackendMinIO, error) {
	// Validation of credentials
	if conf.AccessKey == "" || conf.SecretKey == "" {
		return nil, errors.New("both access and secret keys are required")
	}

	if conf.Bucket == "" {
		return nil, errors.New("no bucket name was provided")
	}

	u, err := url.Parse(conf.Endpoint)
	if err != nil {
		return nil, err
	}

labels.ldap_memberof_attribute=memberOf Attribute
labels.notification_login=Login Page
labels.notification_search_top=Search Top Page
labels.storage_endpoint=Endpoint
labels.storage_access_key=Access Key
labels.storage_secret_key=Secret Key
labels.storage_bucket=Bucket
labels.storage_type=Type
labels.storage_type_auto=Auto
labels.storage_type_s3=S3
labels.storage_type_gcs=GCS
labels.storage_region=Region
labels.storage_project_id=Project ID