You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current implementation expects that both the S3 proxy and STS proxy know about the roles and how to resolve them.
If the policies are not too big it could make sense to pass the role policy rather than the ARN. This way the S3 proxy just receives the policy that must be met and they don´t need to resolve the roles. This is interesting when there are just a few STS servers but a lot of S3 proxies.
This should however be a configurable option as it sacrifices a bit of security because generated credentials would remain valid their whole lifetime (changing the role permissions wouldn't impact access) and every setup would have to evaluate whether that is an acceptable risk for their use case.
The text was updated successfully, but these errors were encountered:
The current implementation expects that both the S3 proxy and STS proxy know about the roles and how to resolve them.
If the policies are not too big it could make sense to pass the role policy rather than the ARN. This way the S3 proxy just receives the policy that must be met and they don´t need to resolve the roles. This is interesting when there are just a few STS servers but a lot of S3 proxies.
This should however be a configurable option as it sacrifices a bit of security because generated credentials would remain valid their whole lifetime (changing the role permissions wouldn't impact access) and every setup would have to evaluate whether that is an acceptable risk for their use case.
The text was updated successfully, but these errors were encountered: