How to request temporary STS tokens for RustFS using HashiCorp Vault AWS secrets engine?

[makhomed]

HashiCorp Vault AWS secrets engine provides four methods for generating dynamic creds:

1. iam_user - not working with RustFS, because many required iam methods not implemented in the RustFS.

2. federation_token - not working, because sts:GetFederationToken not implemented in the RustFS.

3. session_token - not working, because sts:GetSessionToken not implemented in the RustFS.

4. session_token - also not working, because HashiCorp Vault AWS secrets engine using aws go sdk and this code of vault AWS secrets engine fails with error:

# vault read aws/sts/test

Error reading aws/sts/test: Error making API request.

URL: GET http://127.0.0.1:8200/v1/aws/sts/test
Code: 400. Errors:

* could not obtain sts client

source code of `could not obtain sts client` Vault AWS secrets engine generating this error

file: https://github.com/hashicorp/vault/blob/main/builtin/logical/aws/client.go#L263

package aws

import (
        "context"
        "errors"
        "fmt"
        "os"
        "strconv"
        "time"

        "github.com/aws/aws-sdk-go/aws"
        "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
        "github.com/aws/aws-sdk-go/aws/session"
        "github.com/aws/aws-sdk-go/service/iam"
        "github.com/aws/aws-sdk-go/service/sts"
        "github.com/hashicorp/go-cleanhttp"
        "github.com/hashicorp/go-hclog"
        "github.com/hashicorp/go-secure-stdlib/awsutil"
        "github.com/hashicorp/vault/helper/namespace"
        "github.com/hashicorp/vault/sdk/helper/pluginutil"
        "github.com/hashicorp/vault/sdk/logical"
)

// [...]

func (b *backend) nonCachedClientSTS(ctx context.Context, s logical.Storage, logger hclog.Logger) (*sts.STS, error) {
        awsConfig, err := b.getRootSTSConfigs(ctx, s, logger)
        if err != nil {
                return nil, err
        }

        var client *sts.STS

        for _, cfg := range awsConfig {
                sess, err := session.NewSession(cfg)
                if err != nil {
                        return nil, err
                }
                client = sts.New(sess)
                if client == nil {
                        return nil, fmt.Errorf("could not obtain sts client")
                }

                // ping the client - we only care about errors
                _, err = client.GetCallerIdentity(&sts.GetCallerIdentityInput{})
                if err == nil {
                        return client, nil
                } else {
                        b.Logger().Debug("couldn't connect with config trying next", "failed endpoint", *cfg.Endpoint, "failed region", *cfg.Region)
                }
        }

        return nil, fmt.Errorf("could not obtain sts client")
}

sts.New(sess) fron aws go sdk try to call Action=GetCallerIdentity and RustFS return 400 Bad Request status with content-type: application/xml message <?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidArgument</Code><Message>not support action</Message></Error>.

but using aws cli from https://pypi.org/project/awscli/ works without any problems:

RustFS STS Client Example (aws cli)

# aws --version
aws-cli/1.44.34 Python/3.12.12 Linux/6.12.0-124.29.1.el10_1.x86_64 botocore/1.42.44

export AWS_DEFAULT_REGION=us-east-1

aws --endpoint-url "http://127.0.0.1:9000" \
  sts assume-role \
  --role-arn "arn:aws:iam::123456789012:role/tenant-123" \
  --role-session-name "poc-tenant-123" \
  --duration-seconds 900

{
    "Credentials": {
        "AccessKeyId": "0S5O65ZZ71J87OK97RJG",
        "SecretAccessKey": "u_3UHCXUAL9UaSiYO14xbgoJmXVeDg88Gz03K4XF",
        "SessionToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJwYXJlbnQiOiJydXN0ZnNhZG1pbiIsImV4cCI6MTc3MDQxNjE1M30.CtHTMh6VgACaBLt3SCYOizock5cFwRpja3PqzwbU9j1yRCnQdiHX4EMS1cgl3H-uLWNu9wHbGjWs2e28cRHFcA",
        "Expiration": "2026-02-06T22:15:53.000Z"
    }
}

also in message https://github.com/orgs/rustfs/discussions/1125 contains working code how to obtain dynamic creds using sts:AssumeRole method:

RustFS STS Client Example (boto3)

=== RustFS STS Client Example (boto3) ===
1. Assuming role via STS...
Successfully assumed role
sts_response:  {'Credentials': {'AccessKeyId': 'MYEIFYENOFBEOYOIOFBV', 'SecretAccessKey': 'vGrxLFpsP8AGUNShT415_6Oy_U-U5u-Q2yvYuDnJ', 'SessionToken': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJleHAiOjE3NzA0MTkzMTMsInBhcmVudCI6InJ1c3Rmc2FkbWluIn0.u1U8NP6jWAK05i4xVEe4rtwv_Ra2qevsaHcxNMxeJD6F7by07TW_rySQOwNW3BpRbCXQH9RFOb6X5hUbOqdBXQ', 'Expiration': datetime.datetime(2026, 2, 6, 23, 8, 33, tzinfo=tzlocal())}, 'ResponseMetadata': {'HTTPStatusCode': 200, 'HTTPHeaders': {'x-request-id': '73dd0d3c-57d1-4e66-a4ff-2c5a39141da5', 'content-length': '534', 'date': 'Fri, 06 Feb 2026 22:08:33 GMT'}, 'RetryAttempts': 0}}

2. Listing objects in bucket with temporary credentials...
Found 0 objects:

=== Script completed successfully ===

Is it possible to implement sts:GetCallerIdentity method on the RustFS side, to make Vault AWS secrets engine working with RustFS and generating dynamic creds for working with RustFS ?

@loverustfs
@GatewayJ

or some other workarounds exists, how to use HashiCorp Vault AWS secrets engine with RustFS ?

or any alternatives, what to use instead of HashiCorp Vault AWS secrets engine to obtain dynamic creds for RustFS ?

UPD.

P.S.

Static roles method as described in HashiCorp Vault AWS secrets engine documentation also not work, RustFS return xml with <Error><Code>NotImplemented</Code><Message>unknown service</Message></Error>

So, all available in HashiCorp Vault AWS secrets engine methods are tested, but nothing work right now with current RustFS version 1.0.0-alpha.82.

[GatewayJ]

What reasons led you to use the Vault AWS secrets engine？
At present, more effort has been put into ensuring the completeness of the S3 protocol, rather than working on tasks such as OIDC。
We will consider this aspect as soon as possible and welcome your feedback. We can discuss whether there are other ways to solve your problem