sameTarget:            false,
			expectedParsingErr:    fmt.Errorf("invalid destination '%v'", "destinationbucket2"),
			expectedValidationErr: nil,
		},
		// 13 missing role in config and destination ARN has target ARN
		{

		ClientSecret: "WNGvKVyyNmXq0TraSvjaDN9CtpFgx35IXtGEffMCPR0",
	}
	provider.JWKS.URL = u1
	cfg := Config{
		Enabled: true,
		pubKeys: pubKeys,
		arnProviderCfgsMap: map[arn.ARN]*providerCfg{
			DummyRoleARN: &provider,
		},
		ProviderCfgs: map[string]*providerCfg{
			"1": &provider,
		},
		closeRespFn: func(rc io.ReadCloser) {
			rc.Close()
		},
	}

}

// GetRolePolicy - returns policies associated with a role ARN.
func (sys *IAMSys) GetRolePolicy(arnStr string) (arn.ARN, string, error) {
	roleArn, err := arn.Parse(arnStr)
	if err != nil {
		return arn.ARN{}, "", fmt.Errorf("RoleARN parse err: %v", err)
	}
	rolePolicy, ok := sys.rolesMap[roleArn]
	if !ok {
		return arn.ARN{}, "", fmt.Errorf("RoleARN %s is not defined.", arnStr)
	}

// Lookup - checks whether target by target ID exists is valid or not.
func (list *TargetList) Lookup(arnStr string) (Target, error) {
	list.RLock()
	defer list.RUnlock()

	arn, err := ParseARN(arnStr)
	if err != nil {
		return nil, err
	}

	id, found := list.targets[arn.TargetID]
	if !found {
		return nil, &ErrARNNotFound{}
	}
	return id, nil
}

// TargetIDResult returns result of Remove/Send operation, sets err if

We will enable bucket event notification to trigger whenever a JPEG image is uploaded or deleted `images` bucket on `myminio` server. Here ARN value is `arn:minio:sqs::1:amqp`. To understand more about ARN please follow [AWS ARN](http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) documentation.

```
mc mb myminio/images
mc event add myminio/images arn:minio:sqs::1:amqp --suffix .jpg

			rs.set(ri.Arn, ri.Size, 0, status, ri.OpType, ri.endpoint, ri.secure, ri.Err)
		}
	case replication.Completed:
		if ri.OpType.IsDataReplication() {
			rs.set(ri.Arn, ri.Size, ri.Duration, status, ri.OpType, ri.endpoint, ri.secure, ri.Err)
		}
	case replication.Failed:
		if ri.OpType.IsDataReplication() && prevStatus == replication.Pending {

```

> NOTE: In the following commands `--role-arn` and `--role-session-name` are not meaningful for MinIO and can be set to any value satisfying the command line requirements.

```
$ aws --profile foobar --endpoint-url http://localhost:9000 sts assume-role --policy '{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::*"}]}' --role-arn arn:xxx:xxx:xxx:xxxx --role-session-name anything
{

func printLambdaTargets() {
	if globalLambdaTargetList == nil || globalLambdaTargetList.Empty() {
		return
	}

	arnMsg := color.Blue("Object Lambda ARNs: ")
	for _, arn := range globalLambdaTargetList.List(globalSite.Region()) {
		arnMsg += color.Bold(fmt.Sprintf("%s ", arn))
	}
	logger.Startup(arnMsg + "\n")
}

// Prints bucket notification configurations.
func printEventNotifiers() {
	if globalNotificationSys == nil {

After configuring the plugin, use the generated Role ARN with `AssumeRoleWithCustomToken` to get temporary credentials to access object storage.

## API Request

To make an STS API request with this method, send a POST request to the MinIO endpoint with following query parameters:

MINIO_IDENTITY_PLUGIN_ROLE_ID       (string)    unique ID to generate the ARN
MINIO_IDENTITY_PLUGIN_COMMENT       (sentence)  optionally add a comment to this setting
```

If provided, the auth token parameter is sent as an authorization header.

`MINIO_IDENTITY_PLUGIN_ROLE_POLICY` is a required parameter and can be list of comma separated policy names.