Following example shows how you can use [`minio-go` PresignedGetObject](https://min.io/docs/minio/linux/developers/go/API.html#presignedgetobject-ctx-context-context-bucketname-objectname-string-expiry-time-duration-reqparams-url-values-url-url-error)
```go
package main

import (
	"context"
	"log"
	"net/url"
	"time"
	"fmt"

	"github.com/minio/minio-go/v7"

			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
			return
		}
		for _, rl := range lcCfg.Rules {
			updRule, ok := updatedRules[rl.ID]
			// original rule had expiry that is no longer in the new config,
			// or rule is present but missing expiration flags
			if (!rl.Expiration.IsNull() || !rl.NoncurrentVersionExpiration.IsNull()) &&

	if resp.StatusCode != http.StatusOK {
		return errors.New(resp.Status)
	}

	return r.pubKeys.parseAndAdd(resp.Body)
}

// ErrTokenExpired - error token expired
var (
	ErrTokenExpired = errors.New("token expired")
)

func updateClaimsExpiry(dsecs string, claims map[string]interface{}) error {
	expStr := claims["exp"]
	if expStr == "" {
		return ErrTokenExpired
	}

			traceFn(ILMExpiry, nil, nil)
			return false
		}
		// Assume it is still there.
		err := fmt.Errorf("DeleteObject(%s, %s): %w", obj.Bucket, obj.Name, err)
		ilmLogOnceIf(ctx, err, "non-transition-expiry"+obj.Name)
		traceFn(ILMExpiry, nil, err)
		return false
	}
	if dobj.Name == "" {
		dobj = obj
	}

	tags := newLifecycleAuditEvent(src, lcEvent).Tags()
	tags["version-id"] = dobj.VersionID

		if len(meta.LifecycleConfigXML) > 0 {
			var lcCfg lifecycle.Lifecycle
			if err := xml.Unmarshal(meta.LifecycleConfigXML, &lcCfg); err != nil {
				return updatedAt, err
			}
			// find a single expiry rule set the flag
			for _, rl := range lcCfg.Rules {
				if !rl.Expiration.IsNull() || !rl.NoncurrentVersionExpiration.IsNull() {
					expiryRuleRemoved = true
					break
				}
			}
		}

```

## Using WebIdentity API

```
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
export MINIO_IDENTITY_OPENID_CONFIG_URL=https://accounts.google.com/.well-known/openid-configuration
export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
# Optional: Allow to specify the requested OpenID scopes (OpenID only requires the `openid` scope)
#export MINIO_IDENTITY_OPENID_SCOPES="openid,profile,email"

	groups, err := l.LDAP.SearchForUserGroups(conn, username, lookupResult.ActualDN)
	if err != nil {
		return nil, nil, err
	}

	return lookupResult, groups, nil
}

// GetExpiryDuration - return parsed expiry duration.
func (l Config) GetExpiryDuration(dsecs string) (time.Duration, error) {
	if dsecs == "" {
		return l.stsExpiryDuration, nil
	}

	d, err := strconv.Atoi(dsecs)
	if err != nil {

}

const (
	minValidityDurationSeconds int = 900
	maxValidityDurationSeconds int = 365 * 24 * 3600
)

// Authenticate authenticates the token with the external hook endpoint and
// returns a parent user, max expiry duration for the authentication and a set
// of claims.
func (o *AuthNPlugin) Authenticate(roleArn arn.ARN, token string) (AuthNResponse, error) {
	if o == nil {
		return AuthNResponse{}, nil
	}

	"github.com/minio/pkg/v3/policy"
)

// supportedHeadGetReqParams - supported request parameters for GET and HEAD presigned request.
var supportedHeadGetReqParams = map[string]string{
	"response-expires":             xhttp.Expires,
	"response-content-type":        xhttp.ContentType,
	"response-cache-control":       xhttp.CacheControl,
	"response-content-encoding":    xhttp.ContentEncoding,

However, if a request needs a certain identity that we have not fetched yet, it will be immediately requested.

Ztunnel additionally will handle the rotation of these certificates (typically 24hr expiration) as they approach expiry.

## Telemetry