make STS support for 'mc' alias specific (#4771)

currently STS specific behavior is global, `mc` however supports multiple aliases - we need to make sure that `mc` treats this ENV specific to an alias.
minio · Nov 26, 2023 · 2178568 · 2178568
1 parent 16709e4
commit 2178568
Show file tree

Hide file tree

Showing 9 changed files with 161 additions and 130 deletions.
diff --git a/cmd/alias-set.go b/cmd/alias-set.go
@@ -235,8 +235,8 @@ func probeS3Signature(ctx context.Context, accessKey, secretKey, url string, pee
 
 // BuildS3Config constructs an S3 Config and does
 // signature auto-probe when needed.
-func BuildS3Config(ctx context.Context, url, accessKey, secretKey, api, path string, peerCert *x509.Certificate) (*Config, *probe.Error) {
-	s3Config := NewS3Config(url, &aliasConfigV10{
+func BuildS3Config(ctx context.Context, alias, url, accessKey, secretKey, api, path string, peerCert *x509.Certificate) (*Config, *probe.Error) {
+	s3Config := NewS3Config(alias, url, &aliasConfigV10{
 		AccessKey: accessKey,
 		SecretKey: secretKey,
 		URL:       url,
@@ -339,7 +339,7 @@ func mainAliasSet(cli *cli.Context, deprecated bool) error {
 		fatalIf(err.Trace(alias, url, accessKey), "Unable to initialize new alias from the provided credentials.")
 	}
 
-	s3Config, err := BuildS3Config(ctx, url, accessKey, secretKey, api, path, peerCert)
+	s3Config, err := BuildS3Config(ctx, alias, url, accessKey, secretKey, api, path, peerCert)
 	fatalIf(err.Trace(alias, url, accessKey), "Unable to initialize new alias from the provided credentials.")
 
 	msg := setAlias(alias, aliasConfigV10{

diff --git a/cmd/client-admin.go b/cmd/client-admin.go
@@ -108,7 +108,7 @@ func newAdminClient(aliasedURL string) (*madmin.AdminClient, *probe.Error) {
 		return nil, probe.NewError(fmt.Errorf("No valid configuration found for '%s' host alias", urlStrFull))
 	}
 
-	s3Config := NewS3Config(urlStrFull, aliasCfg)
+	s3Config := NewS3Config(alias, urlStrFull, aliasCfg)
 
 	s3Client, err := s3AdminNew(s3Config)
 	if err != nil {

diff --git a/cmd/client-admin_test.go b/cmd/client-admin_test.go
@@ -19,15 +19,9 @@ package cmd
 
 import (
 	"bytes"
-	"context"
 	"io"
-	"log"
 	"net/http"
-	"net/http/httptest"
-	"os"
 	"strconv"
-
-	checkv1 "gopkg.in/check.v1"
 )
 
 type adminPolicyHandler struct {
@@ -67,61 +61,3 @@ func (h adminPolicyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusForbidden)
 	}
 }
-
-func (s *TestSuite) TestAdminSTSOperation(c *checkv1.C) {
-	sts := stsHandler{
-		endpoint: "/",
-		jwt:      []byte("eyJhbGciOiJSUzI1NiIsImtpZCI6Inc0dFNjMEc5Tk0wQWhGaWJYaWIzbkpRZkRKeDc1dURRTUVpOTNvTHJ0OWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzMxMTg3NzEwLCJpYXQiOjE2OTk2NTE3MTAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJtaW5pby10ZW5hbnQtMSIsInBvZCI6eyJuYW1lIjoic2V0dXAtYnVja2V0LXQ4eGdjIiwidWlkIjoiNjZhYjlkZWItNzkwMC00YTFlLTgzMDgtMTkwODIwZmQ3NDY5In0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJtYy1qb2Itc2EiLCJ1aWQiOiI3OTc4NzJjZC1kMjkwLTRlM2EtYjYyMC00ZGFkYzZhNzUyMTYifSwid2FybmFmdGVyIjoxNjk5NjU1MzE3fSwibmJmIjoxNjk5NjUxNzEwLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bWluaW8tdGVuYW50LTE6bWMtam9iLXNhIn0.rY7dpAh8GBTViH9Ges7tRhgyihdFWEN0DwXchelmZg58VOI526S-YfbCqrxksTs8Iu0fp1rmk1cUj7FGDh3AOv2RphHjoWci1802zKkHgH0iOEbKMp3jHXwfyHda8CyrSCPycGzClueCf1ae91wd_0lgK9lOR1qqY1HuDeXqSEAUIGrfh1VcP2n95Zc07EY-Uh3XjJE4drtgusACEK5n3P3WtN9s0m0GomEGQzF5ZJczxLGpHBKMQ5VDhMksVKdBAsx9xHgSx84aUhKQViYilAL-8PRj-RZA9s_IpEymAh5R37dKzAO8Fqq0nG7fVbH_ifzw3xhHiG92BhHldBDqEQ"),
-	}
-
-	tmpfile, errFs := os.CreateTemp("", "jwt")
-	if errFs != nil {
-		log.Fatal(errFs)
-	}
-	defer os.Remove(tmpfile.Name()) // clean up
-
-	if _, errFs := tmpfile.Write(sts.jwt); errFs != nil {
-		log.Fatal(errFs)
-	}
-	if errFs := tmpfile.Close(); errFs != nil {
-		log.Fatal(errFs)
-	}
-
-	stsServer := httptest.NewServer(sts)
-	defer stsServer.Close()
-	os.Setenv("MC_STS_ENDPOINT", stsServer.URL+sts.endpoint)
-	os.Setenv("MC_WEB_IDENTITY_TOKEN_FILE", tmpfile.Name())
-	handler := adminPolicyHandler{
-		endpoint: "/minio/admin/v3/add-canned-policy?name=",
-		name:     "test",
-		policy: []byte(`
-{
-  "Version": "2012-10-17",
-  "Statement": [
-	{
-	  "Effect": "Allow",
-	  "Action": [
-		"s3:*"
-	  ],
-	  "Resource": [
-		"arn:aws:s3:::test-bucket",
-		"arn:aws:s3:::test-bucket/*"
-	  ]
-	}
-  ]
-
-}`),
-	}
-	server := httptest.NewServer(handler)
-	defer server.Close()
-
-	conf := new(Config)
-	conf.Debug = true
-	conf.Insecure = true
-	conf.HostURL = server.URL + handler.endpoint + handler.name
-	s3c, err := s3AdminNew(conf)
-	c.Assert(err, checkv1.IsNil)
-
-	policyErr := s3c.AddCannedPolicy(context.Background(), handler.name, handler.policy)
-	c.Assert(policyErr, checkv1.IsNil)
-}
diff --git a/cmd/client-s3.go b/cmd/client-s3.go
@@ -216,14 +216,14 @@ func getTransportForConfig(config *Config, withS3v2 bool) http.RoundTripper {
 func getCredentialsChainForConfig(config *Config, transport http.RoundTripper) ([]credentials.Provider, *probe.Error) {
 	var credsChain []credentials.Provider
 	// if an STS endpoint is set, we will add that to the chain
-	if stsEndpoint := env.Get("MC_STS_ENDPOINT", ""); stsEndpoint != "" {
+	if stsEndpoint := env.Get("MC_STS_ENDPOINT_"+config.Alias, ""); stsEndpoint != "" {
 		// set AWS_WEB_IDENTITY_TOKEN_FILE is MC_WEB_IDENTITY_TOKEN_FILE is set
-		if val := env.Get("MC_WEB_IDENTITY_TOKEN_FILE", ""); val != "" {
+		if val := env.Get("MC_WEB_IDENTITY_TOKEN_FILE_"+config.Alias, ""); val != "" {
 			os.Setenv("AWS_WEB_IDENTITY_TOKEN_FILE", val)
-			if val := env.Get("MC_ROLE_ARN", ""); val != "" {
+			if val := env.Get("MC_ROLE_ARN_"+config.Alias, ""); val != "" {
 				os.Setenv("AWS_ROLE_ARN", val)
 			}
-			if val := env.Get("MC_ROLE_SESSION_NAME", randString(32, rand.NewSource(time.Now().UnixNano()), "mc-session-name-")); val != "" {
+			if val := env.Get("MC_ROLE_SESSION_NAME_"+config.Alias, randString(32, rand.NewSource(time.Now().UnixNano()), "mc-session-name-")); val != "" {
 				os.Setenv("AWS_ROLE_SESSION_NAME", val)
 			}
 		}

diff --git a/cmd/client-s3_test.go b/cmd/client-s3_test.go
@@ -22,10 +22,8 @@ import (
 	"bytes"
 	"context"
 	"io"
-	"log"
 	"net/http"
 	"net/http/httptest"
-	"os"
 	"strconv"
 
 	minio "github.com/minio/minio-go/v7"
@@ -88,7 +86,7 @@ func (h objectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	switch {
-	case r.Method == "PUT":
+	case r.Method == http.MethodPut:
 		// Handler for PUT object request.
 		length, e := strconv.Atoi(r.Header.Get("Content-Length"))
 		if e != nil {
@@ -102,7 +100,7 @@ func (h objectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 		w.Header().Set("ETag", "9af2f8218b150c351ad802c6f3d66abe")
 		w.WriteHeader(http.StatusOK)
-	case r.Method == "HEAD":
+	case r.Method == http.MethodHead:
 		// Handler for Stat object request.
 		if r.URL.Path != h.resource {
 			w.WriteHeader(http.StatusNotFound)
@@ -112,7 +110,7 @@ func (h objectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Last-Modified", UTCNow().Format(http.TimeFormat))
 		w.Header().Set("ETag", "9af2f8218b150c351ad802c6f3d66abe")
 		w.WriteHeader(http.StatusOK)
-	case r.Method == "POST":
+	case r.Method == http.MethodPost:
 		// Handler for multipart upload request.
 		if _, ok := r.URL.Query()["uploads"]; ok {
 			if r.URL.Path == h.resource {
@@ -134,7 +132,7 @@ func (h objectHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusNotFound)
 			return
 		}
-	case r.Method == "GET":
+	case r.Method == http.MethodGet:
 		// Handler for get bucket location request.
 		if _, ok := r.URL.Query()["location"]; ok {
 			response := []byte("<LocationConstraint xmlns=\"http://doc.s3.amazonaws.com/2006-03-01\"></LocationConstraint>")
@@ -174,22 +172,20 @@ func (h stsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	switch {
-	case r.Method == "POST":
+	case r.Method == http.MethodPost:
 		token := r.Form.Get("WebIdentityToken")
 		if token == string(h.jwt) {
 			response := []byte("<AssumeRoleWithWebIdentityResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\"><AssumeRoleWithWebIdentityResult><AssumedRoleUser><Arn></Arn><AssumeRoleId></AssumeRoleId></AssumedRoleUser><Credentials><AccessKeyId>7NL5BR739GUQ0ZOD4JNB</AccessKeyId><SecretAccessKey>A2mxZSxPnHNhSduedUHczsXZpVSSssOLpDruUmTV</SecretAccessKey><Expiration>0001-01-01T00:00:00Z</Expiration><SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiI3Tkw1QlI3MzlHVVEwWk9ENEpOQiIsImV4cCI6MTY5OTYwMzMwNiwicGFyZW50IjoibWluaW8iLCJzZXNzaW9uUG9saWN5IjoiZXlKV1pYSnphVzl1SWpvaU1qQXhNaTB4TUMweE55SXNJbE4wWVhSbGJXVnVkQ0k2VzNzaVJXWm1aV04wSWpvaVFXeHNiM2NpTENKQlkzUnBiMjRpT2xzaVlXUnRhVzQ2S2lKZGZTeDdJa1ZtWm1WamRDSTZJa0ZzYkc5M0lpd2lRV04wYVc5dUlqcGJJbXR0Y3pvcUlsMTlMSHNpUldabVpXTjBJam9pUVd4c2IzY2lMQ0pCWTNScGIyNGlPbHNpY3pNNktpSmRMQ0pTWlhOdmRYSmpaU0k2V3lKaGNtNDZZWGR6T25Nek9qbzZLaUpkZlYxOSJ9.uuE_x7PO8QoPfUk9KzUELoAqxihIknZAvJLl5aYJjwpSjJYFTPLp6EvuyJX2hc18s9HzeiJ-vU0dPzsy50dXmg</SessionToken></Credentials></AssumeRoleWithWebIdentityResult><ResponseMetadata></ResponseMetadata></AssumeRoleWithWebIdentityResponse>")
 			w.Header().Set("Content-Length", strconv.Itoa(len(response)))
 			w.Header().Set("Content-Type", "application/xml")
 			w.Header().Set("Server", "MinIO")
 			w.Write(response)
-			w.WriteHeader(http.StatusOK)
 			return
 		} else {
 			response := []byte("<ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\"><Error><Type></Type><Code>AccessDenied</Code><Message>Access denied: Invalid Token</Message></Error><RequestId></RequestId></ErrorResponse>")
 			w.Header().Set("Content-Length", strconv.Itoa(len(response)))
 			w.Header().Set("Content-Type", "application/xml")
 			w.Write(response)
-			w.WriteHeader(http.StatusForbidden)
 			return
 		}
 	}
@@ -279,52 +275,6 @@ func (s *TestSuite) TestObjectOperations(c *checkv1.C) {
 	}
 }
 
-func (s *TestSuite) TestSTSOperation(c *checkv1.C) {
-	sts := stsHandler{
-		endpoint: "/",
-		jwt:      []byte("eyJhbGciOiJSUzI1NiIsImtpZCI6Inc0dFNjMEc5Tk0wQWhGaWJYaWIzbkpRZkRKeDc1dURRTUVpOTNvTHJ0OWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzMxMTIyNjg0LCJpYXQiOjE2OTk1ODY2ODQsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJtaW5pby10ZW5hbnQtMSIsInBvZCI6eyJuYW1lIjoic2V0dXAtYnVja2V0LXJ4aHhiIiwidWlkIjoiNmNhMzhjMmItYTdkMC00M2Y0LWE0NjMtZjdlNjU4MGUyZDdiIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJtYy1qb2Itc2EiLCJ1aWQiOiI3OTc4NzJjZC1kMjkwLTRlM2EtYjYyMC00ZGFkYzZhNzUyMTYifSwid2FybmFmdGVyIjoxNjk5NTkwMjkxfSwibmJmIjoxNjk5NTg2Njg0LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bWluaW8tdGVuYW50LTE6bWMtam9iLXNhIn0.fBJckmoQFyJ9bUgKZv6jzBESd9ccX_HFPPBZ17Gz_CsQ5wXrMqnvoMs1mcv6QKWsDsvSnWnw_tcW0cjvVkXb2mKmioKLzqV4ihGbiWzwk2e1xDohn8fizdQkf64bXpncjGdEGv8oi9A4300jfLMfg53POriMyEAQMeIDKPOI9qx913xjGni2w2H49mjLfnFnRaj9osvy17425dNIrMC6GDFq3rcq6Z_cdDmL18Jwsjy1xDsAhUzmOclr-VI3AeSnuD4fbf6jhbKE14qVUjLmIBf__B5NhESiaFNwxFYjonZyi357Nx93CD1wai28tNRSODx7BiPHLxk8SyzY0CP0sQ"),
-	}
-
-	tmpfile, errFs := os.CreateTemp("", "jwt")
-	if errFs != nil {
-		log.Fatal(errFs)
-	}
-	defer os.Remove(tmpfile.Name()) // clean up
-
-	if _, errFs := tmpfile.Write(sts.jwt); errFs != nil {
-		log.Fatal(errFs)
-	}
-	if errFs := tmpfile.Close(); errFs != nil {
-		log.Fatal(errFs)
-	}
-
-	stsServer := httptest.NewServer(sts)
-	defer stsServer.Close()
-	os.Setenv("MC_STS_ENDPOINT", stsServer.URL+sts.endpoint)
-	os.Setenv("MC_WEB_IDENTITY_TOKEN_FILE", tmpfile.Name())
-	object := objectHandler{
-		resource: "/bucket/object",
-		data:     []byte("Hello, World"),
-	}
-	server := httptest.NewServer(object)
-	defer server.Close()
-
-	conf := new(Config)
-	conf.HostURL = server.URL + object.resource
-	s3c, err := S3New(conf)
-	c.Assert(err, checkv1.IsNil)
-
-	var reader io.Reader
-	reader = bytes.NewReader(object.data)
-	n, err := s3c.Put(context.Background(), reader, int64(len(object.data)), nil, PutOptions{
-		metadata: map[string]string{
-			"Content-Type": "application/octet-stream",
-		},
-	})
-	c.Assert(err, checkv1.IsNil)
-	c.Assert(n, checkv1.Equals, int64(len(object.data)))
-}
-
 var testSelectCompressionTypeCases = []struct {
 	opts            SelectObjectOpts
 	object          string

diff --git a/cmd/client-sts_test.go b/cmd/client-sts_test.go
@@ -0,0 +1,144 @@
+// Copyright (c) 2015-2023 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"log"
+	"net/http/httptest"
+	"os"
+	"testing"
+)
+
+func TestSTSS3Operation(t *testing.T) {
+	sts := stsHandler{
+		endpoint: "/",
+		jwt:      []byte("eyJhbGciOiJSUzI1NiIsImtpZCI6Inc0dFNjMEc5Tk0wQWhGaWJYaWIzbkpRZkRKeDc1dURRTUVpOTNvTHJ0OWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzMxMTIyNjg0LCJpYXQiOjE2OTk1ODY2ODQsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJtaW5pby10ZW5hbnQtMSIsInBvZCI6eyJuYW1lIjoic2V0dXAtYnVja2V0LXJ4aHhiIiwidWlkIjoiNmNhMzhjMmItYTdkMC00M2Y0LWE0NjMtZjdlNjU4MGUyZDdiIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJtYy1qb2Itc2EiLCJ1aWQiOiI3OTc4NzJjZC1kMjkwLTRlM2EtYjYyMC00ZGFkYzZhNzUyMTYifSwid2FybmFmdGVyIjoxNjk5NTkwMjkxfSwibmJmIjoxNjk5NTg2Njg0LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bWluaW8tdGVuYW50LTE6bWMtam9iLXNhIn0.fBJckmoQFyJ9bUgKZv6jzBESd9ccX_HFPPBZ17Gz_CsQ5wXrMqnvoMs1mcv6QKWsDsvSnWnw_tcW0cjvVkXb2mKmioKLzqV4ihGbiWzwk2e1xDohn8fizdQkf64bXpncjGdEGv8oi9A4300jfLMfg53POriMyEAQMeIDKPOI9qx913xjGni2w2H49mjLfnFnRaj9osvy17425dNIrMC6GDFq3rcq6Z_cdDmL18Jwsjy1xDsAhUzmOclr-VI3AeSnuD4fbf6jhbKE14qVUjLmIBf__B5NhESiaFNwxFYjonZyi357Nx93CD1wai28tNRSODx7BiPHLxk8SyzY0CP0sQ"),
+	}
+
+	tmpfile, errFs := os.CreateTemp("", "jwt")
+	if errFs != nil {
+		log.Fatal(errFs)
+	}
+	defer os.Remove(tmpfile.Name()) // clean up
+
+	if _, errFs := tmpfile.Write(sts.jwt); errFs != nil {
+		log.Fatal(errFs)
+	}
+	if errFs := tmpfile.Close(); errFs != nil {
+		log.Fatal(errFs)
+	}
+
+	stsServer := httptest.NewServer(sts)
+	defer stsServer.Close()
+	t.Setenv("MC_STS_ENDPOINT_test", stsServer.URL+sts.endpoint)
+	t.Setenv("MC_WEB_IDENTITY_TOKEN_FILE_test", tmpfile.Name())
+	object := objectHandler{
+		resource: "/bucket/object",
+		data:     []byte("Hello, World"),
+	}
+	server := httptest.NewServer(object)
+	defer server.Close()
+
+	conf := new(Config)
+	conf.Alias = "test"
+	conf.HostURL = server.URL + object.resource
+	s3c, err := S3New(conf)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var reader io.Reader
+	reader = bytes.NewReader(object.data)
+	n, err := s3c.Put(context.Background(), reader, int64(len(object.data)), nil, PutOptions{
+		metadata: map[string]string{
+			"Content-Type": "application/octet-stream",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if n != int64(len(object.data)) {
+		t.Fatalf("expected %d, got %d", n, len(object.data))
+	}
+}
+
+func TestAdminSTSOperation(t *testing.T) {
+	sts := stsHandler{
+		endpoint: "/",
+		jwt:      []byte("eyJhbGciOiJSUzI1NiIsImtpZCI6Inc0dFNjMEc5Tk0wQWhGaWJYaWIzbkpRZkRKeDc1dURRTUVpOTNvTHJ0OWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzMxMTg3NzEwLCJpYXQiOjE2OTk2NTE3MTAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJtaW5pby10ZW5hbnQtMSIsInBvZCI6eyJuYW1lIjoic2V0dXAtYnVja2V0LXQ4eGdjIiwidWlkIjoiNjZhYjlkZWItNzkwMC00YTFlLTgzMDgtMTkwODIwZmQ3NDY5In0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJtYy1qb2Itc2EiLCJ1aWQiOiI3OTc4NzJjZC1kMjkwLTRlM2EtYjYyMC00ZGFkYzZhNzUyMTYifSwid2FybmFmdGVyIjoxNjk5NjU1MzE3fSwibmJmIjoxNjk5NjUxNzEwLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bWluaW8tdGVuYW50LTE6bWMtam9iLXNhIn0.rY7dpAh8GBTViH9Ges7tRhgyihdFWEN0DwXchelmZg58VOI526S-YfbCqrxksTs8Iu0fp1rmk1cUj7FGDh3AOv2RphHjoWci1802zKkHgH0iOEbKMp3jHXwfyHda8CyrSCPycGzClueCf1ae91wd_0lgK9lOR1qqY1HuDeXqSEAUIGrfh1VcP2n95Zc07EY-Uh3XjJE4drtgusACEK5n3P3WtN9s0m0GomEGQzF5ZJczxLGpHBKMQ5VDhMksVKdBAsx9xHgSx84aUhKQViYilAL-8PRj-RZA9s_IpEymAh5R37dKzAO8Fqq0nG7fVbH_ifzw3xhHiG92BhHldBDqEQ"),
+	}
+
+	tmpfile, errFs := os.CreateTemp("", "jwt")
+	if errFs != nil {
+		log.Fatal(errFs)
+	}
+	defer os.Remove(tmpfile.Name()) // clean up
+
+	if _, errFs := tmpfile.Write(sts.jwt); errFs != nil {
+		log.Fatal(errFs)
+	}
+	if errFs := tmpfile.Close(); errFs != nil {
+		log.Fatal(errFs)
+	}
+
+	stsServer := httptest.NewServer(sts)
+	defer stsServer.Close()
+	t.Setenv("MC_STS_ENDPOINT_test", stsServer.URL+sts.endpoint)
+	t.Setenv("MC_WEB_IDENTITY_TOKEN_FILE_test", tmpfile.Name())
+	handler := adminPolicyHandler{
+		endpoint: "/minio/admin/v3/add-canned-policy?name=",
+		name:     "test",
+		policy: []byte(`
+{
+  "Version": "2012-10-17",
+  "Statement": [
+	{
+	  "Effect": "Allow",
+	  "Action": [
+		"s3:*"
+	  ],
+	  "Resource": [
+		"arn:aws:s3:::test-bucket",
+		"arn:aws:s3:::test-bucket/*"
+	  ]
+	}
+  ]
+
+}`),
+	}
+	server := httptest.NewServer(handler)
+	defer server.Close()
+
+	conf := new(Config)
+	conf.Alias = "test"
+	conf.Debug = true
+	conf.Insecure = true
+	conf.HostURL = server.URL + handler.endpoint + handler.name
+	s3c, err := s3AdminNew(conf)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	e := s3c.AddCannedPolicy(context.Background(), handler.name, handler.policy)
+	if e != nil {
+		t.Fatal(e)
+	}
+}