Fixes for missing or bugs in the custom token STS docs (#1479)

djwfyi · web-flow · commit ef4faab6d8d0 · 2025-07-06T15:43:45.000-04:00
- Adds that `idmp-` string is added to `ROLE_ID` when generating an ARN
- Updates claims example in the plugin docs to be JSON instead of basic
comma-delimited key-value pairs
diff --git a/source/administration/identity-access-management/pluggable-authentication.rst b/source/administration/identity-access-management/pluggable-authentication.rst
@@ -75,7 +75,7 @@ The login flow for an application is as follows:
       {
          "user": "<string>",
          "maxValiditySeconds": 3600,
-         "claims": "KEY=VALUE,[KEY=VALUE,...]"
+         "claims": {"KEY": "VALUE", ...}
       }
 
    .. list-table::
@@ -90,7 +90,7 @@ The login flow for an application is as follows:
         - The maximum allowed expiry duration for the returned credentials
 
       * - ``claims``
-        - A list of key-value pair claims associated with the requested credentials.
+        - A JSON string of ``"key": "value"`` pair claims associated with the requested credentials.
           MinIO reserves and ignores the ``exp``, ``parent``, and ``sub`` claims objects if present.
 
 4. MinIO returns a response to the STS API request that includes temporary credentials for use with making authenticated requests.
diff --git a/source/developers/security-token-service/AssumeRoleWithCustomToken.rst b/source/developers/security-token-service/AssumeRoleWithCustomToken.rst
@@ -67,6 +67,9 @@ This endpoint supports the following query parameters:
 
        See :envvar:`MINIO_IDENTITY_PLUGIN_ROLE_ID` or :mc-conf:`identity_plugin role_id <identity_plugin.role_id>` for more information.
 
+       Note that MinIO automatically prepends ``idmp-`` to a configured ``ROLE_ID`` when generating the RoleArn.
+       Include that string with the ``ROLE_ID`` if required.
+
    * - ``DurationSeconds``
      - integer
      - *Optional*
diff --git a/source/includes/common-minio-external-auth.rst b/source/includes/common-minio-external-auth.rst
@@ -422,6 +422,7 @@ Specify a comma-separated list of MinIO :ref:`policies <minio-policy>` to assign
 .. start-minio-identity-management-role-id
 
 Specify a unique ID MinIO uses to generate an ARN for this identity manager.
+MinIO automatically adds an ``idmp-`` prefix to the specified ID when generating the ARN.
 
 If omitted, MinIO automatically generates the ID and prints the full ARN to the server log.
 

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ The login flow for an application is as follows:`
`75`	`75`	`{`
`76`	`76`	`"user": "<string>",`
`77`	`77`	`"maxValiditySeconds": 3600,`
`78`		`- "claims": "KEY=VALUE,[KEY=VALUE,...]"`
	`78`	`+ "claims": {"KEY": "VALUE", ...}`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`.. list-table::`
`@@ -90,7 +90,7 @@ The login flow for an application is as follows:`
`90`	`90`	`- The maximum allowed expiry duration for the returned credentials`
`91`	`91`
`92`	`92`	* - ``claims``
`93`		`- - A list of key-value pair claims associated with the requested credentials.`
	`93`	+ - A JSON string of ``"key": "value"`` pair claims associated with the requested credentials.
`94`	`94`	MinIO reserves and ignores the ``exp``, ``parent``, and ``sub`` claims objects if present.
`95`	`95`
`96`	`96`	`4. MinIO returns a response to the STS API request that includes temporary credentials for use with making authenticated requests.`