Crate multistore_sts 

OIDC/STS authentication for the S3 proxy gateway.

This crate implements the AssumeRoleWithWebIdentity STS API, allowing workloads like GitHub Actions to exchange OIDC tokens for temporary S3 credentials scoped to specific buckets and prefixes.

Integration

Register STS routes via route_handler::StsRouterExt:

use multistore_sts::route_handler::StsRouterExt;

let router = Router::new()
    .with_sts(config, jwks_cache, token_key);

Flow

1. Client obtains a JWT from their OIDC provider (e.g., GitHub Actions ID token)
2. Client calls AssumeRoleWithWebIdentity with the JWT and desired role
3. This crate validates the JWT against the OIDC provider’s JWKS
4. Checks trust policy (issuer, audience, subject conditions)
5. Mints temporary credentials (AccessKeyId/SecretAccessKey/SessionToken)
6. Returns credentials to the client

The client then uses these credentials to sign S3 requests normally.

Re-exports

pub use jwks::JwksCache;

pub use request::try_parse_sts_request;

pub use responses::build_sts_error_response;

pub use responses::build_sts_response;

pub use sealed_token::TokenKey;

Modules

jwks

JWKS fetching and JWT verification.

request

STS request parsing.

responses

STS XML response serialization.

route_handler

Route handler for STS AssumeRoleWithWebIdentity requests.

sealed_token

Self-contained encrypted session tokens using AES-256-GCM.

sts

STS credential minting.

Functions

assume_role_with_web_identity

Validate an OIDC token and mint temporary credentials.

try_handle_sts

Try to handle an STS request. Returns Some((status, xml)) if the query contained an STS action, or None if it wasn’t an STS request.