a client certificate.

The following curl example shows how to authenticate to a MinIO server with client certificate and obtain STS access credentials.

```curl
curl -X POST --key private.key --cert public.crt "https://minio:9000?Action=AssumeRoleWithCertificate&Version=2011-06-15&DurationSeconds=3600"
```

```xml

	done

	for i in $(seq 1 4); do
		"${MINIO[@]}" --address ":$((start_port + i))" ${args[@]} 2>&1 >"${WORK_DIR}/server$i.log" &
	done

	# Wait until all nodes return 403
	for i in $(seq 1 4); do
		while [ "$(curl -m 1 -s -o /dev/null -w "%{http_code}" http://localhost:$((start_port + i)))" -ne "403" ]; do
			echo -n "."
			sleep 1
		done
	done

}

# Prepare fake disks with losetup
function prepare_block_devices() {

#                     If it's "Release - Release Candidate", version will be from version-info-release-candidate/version-info.properties

post() {
    local endpoint="$1"
    local data="$2"

    local response=$(curl -X POST \
        -H "Authorization: token $GITHUB_TOKEN" \
        -H "Accept: application/vnd.github.v3+json" \
        -H "Content-Type: application/json" \
        "https://api.github.com/repos/gradle/gradle$endpoint" \

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package okhttp3.curl.logging

import java.util.logging.LogRecord
import java.util.logging.SimpleFormatter

object MessageFormatter : SimpleFormatter() {
  override fun format(record: LogRecord): String = String.format("%s%n", record.message)

import org.codelibs.core.lang.StringUtil;
import org.codelibs.core.misc.Pair;
import org.codelibs.core.net.UuidUtil;
import org.codelibs.core.stream.StreamUtil;
import org.codelibs.curl.Curl;
import org.codelibs.curl.CurlResponse;
import org.codelibs.fess.app.web.base.login.ActionResponseCredential;
import org.codelibs.fess.app.web.base.login.AzureAdCredential;

}

# All other users may do anything other than call PutObject
allow {
 input.action != "s3:PutObject"
 input.owner == false
}
EOF
```

Then load the policy via OPA's REST API.

```
curl -X PUT --data-binary @example.rego \
  localhost:8181/v1/policies/putobject
```

### 4. Setup MinIO with OPA

Request

```
curl -u <CLIENT_ID>:<CLIENT_SECRET> -k -d "grant_type=client_credentials" -H "Content-Type:application/x-www-form-urlencoded" https://<IS_HOST>:<IS_HTTPS_PORT>/oauth2/token
```

Example:

```

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
 * either express or implied. See the License for the specific language
 * governing permissions and limitations under the License.
 */
package org.codelibs.curl;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertSame;
import static org.junit.Assert.assertTrue;

		exit $#
	fi
}

catch

function gen_put_request() {
	hdr_sleep=$1
	body_sleep=$2

	echo "PUT /testbucket/testobject HTTP/1.1"
	sleep $hdr_sleep
	echo "Host: foo-header"
	echo "User-Agent: curl/8.2.1"
	echo "Accept: */*"
	echo "Content-Length: 30"
	echo ""

	sleep $body_sleep
	echo "random line 0"
	echo "random line 1"
	echo ""
	echo ""
}

function send_put_object_request() {

- Check that `account` client_id has the role 'admin' assigned in the "Service Account Roles" tab.

After that, you will be able to obtain an id_token for the Admin REST API using client_id and client_secret:

```
curl \
  -d "client_id=<YOUR_CLIENT_ID>" \
  -d "client_secret=<YOUR_CLIENT_SECRET>" \
  -d "grant_type=client_credentials" \
  "http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token"
```