Mount S3 using AD credentials

What is the problem you are having with rclone?


I have a multi-user environment with:

  • An Active Directory where all users are registered.
  • A Keycloak to manage Oauth2 with some web apps. It maps the users with the AD.
  • A Minio server that use Keycloak for the authentication.
  • A Linux Server where the users are mapped with the AD. It contains the users home directory where I mount their own Minio bucket. Each user credentials are store in $HOME/.config/rclone/rclone.conf.
    Users never access the Linux server directly, they use web apps from where they can access their $HOME.

I'm looking for a way to mount the Minio bucket without writting the user credentials in $HOME/.config/rclone/rclone.conf. Is it possible that rclone automatically map the user with its Keycloak session or with some link with the AD?
I also thought of encrypting the credentials but I cannot ask the users to give the password to do the mount.

Thanks a lot for your help.

What is your rclone version (output from rclone version)

rclone version
rclone v1.56.0
- os/version: redhat 8.3 (64 bit)
- os/kernel: 4.18.0-240.el8.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.16.5
- go/linking: static
- go/tags: none

Which OS you are using and how many bits (eg Windows 7, 64 bit)

RHEL8.3 64bits

Which cloud storage system are you using? (eg Google Drive)

Minio 2021-04-06T23:11:00Z

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone default:mybucket /home/[user]/mybucket --poll-interval 0

The rclone config contents with secrets removed.

type = s3
provider = Minio
access_key_id = [USER]
secret_access_key = [PASSWORD]
endpoint = [ENDPOINT]
acl = private

What type of credentials do you get?

Assuming it is something like access_key_id, secret_access_key then you could configure rclone with environment variables to avoid them going in the rclone.conf. If you could script the credentials being fetched, set as env vars and then launching rclone that could work.

Thank you for your answer.
I had missed the fact that you can generate "Service Account" from Minio and use it as access_key_id and secret_access_key. I can generate these Service Account when I create the users then it works fine.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.