Minio Python Client

[z0ph]

Hey 👋🏼 ,

Does SDK and client libraries are a good fit to be referenced here?

I would like to add the popular Minio: https://github.com/minio and especially the Python client (https://github.com/minio/minio-py) that does only support AK/SK/ST, which leads to maintaining custom code to retrieve AK/SK/ST from Metadata Server (IMDSv2) prior to running the Minio client logic.

Other Minio Clients are already supporting IMDSv2 natively:

• Go: Add support for IMDS Version 2. minio/minio-go#1489
• Java: Add IMDSv2 and auth token support in IamAws provider. minio/minio-java#1192

Python Client documentation: https://docs.min.io/docs/python-client-api-reference

Let me know if it makes sense.

Victor.

[0xdabbad00]

I generally want to avoid open-source projects when it is a hobby project or not directly associated with a company, as my goal is to focus attention primarily on commercial products where there is a stronger association between the product in question being tied to them being an AWS Partner. It does look like this project is tied to the company https://min.io/ though so this could make sense to be added.

However, it sounds like you are saying the library doesn't even use IMDSv1 but only supports access keys? This makes me think there is a different problem with this library that isn't tied to it forcing you to allow IMDSv1.

[z0ph]

Scott,

My message was a bit misleading, here is the code to retrieve IMDSv1 EC2 instance credentials for minio-py client:

• https://github.com/minio/minio-py/blob/master/minio/credentials/providers.py#L342-L429

But as you said, its an open-source project, so contributors and maintainers will say: "feel free to add the feature" :)

[0xdabbad00]

Open source projects that are the product of a company are reasonable. For example, I list New Relic's ruby agent. When that is the case, having an issue to reference is preferred. Minio seems to have a lot of issues going on with how they get creds. For example, these issues:

• Unable to use AWS ECS task role credentials minio/minio-py#956
• AWS credentials provider with role_arn + source_profile minio/minio-py#1119

They seem more like they are doing things the wrong way, by recreating a lot of botocore functionality, and so it's more that they need to redo how they get creds entirely, and not just that they should support IMDSv2.

So I feel a little weird about yelling at them, when their product seems just broken from the perspective of what they are doing for AWS creds. If there is an issue against their repo, that might be reasonable for me to reference though, but I feel like there would be too much for me to explain to them to even get them to a point where I could bring up IMDSv2 in me filing an issue against them.

[z0ph]

I agree with you, this issue surpasses the scope of this repository about IMDSv2. Thanks for taking the time to review this issue with minio.