►
Description
Kubernetes Storage Special-Interest-Group (SIG) Object Bucket API Standup Meeting - 12 April 2021
Meeting Notes/Agenda: -
Find out more about the Storage SIG here: https://github.com/kubernetes/community/tree/master/sig-storage
A
So
I
think
we
should
continue
where
we
left
off
last
week,
we're
talking
about
credential
rotation
and
we're
still
trying
to
figure
out
whether
it's
needed
to
begin
with,
and
if
so,
how
are
we
going
to
do
it?
A
So
I
went
and
looked
at
three
main
cloud
products:
google
cloud,
amazon,
aws
and
azure,
and
I
tried
to
see
how
they,
how
they
provision
and
work
with
access
keys
and
how
they
recommend
key
rotation.
A
A
That
being
said,
you
can
still
rotate
them
either
manually,
where
you
create
a
new
one
and
delete
the
old
one
after
your
applications
have
been
given
the
new
set
of
keys,
and
there
is
a
second
way
to
do
it,
which
is
using
a
key
management
service
like
vault,
where
vault
works
with
amazon
or
google
or
azure
virtual
cloud
you're
on
to
create
new
keys
and
walt
assumes
the
role
that
of
your
service
account.
A
So
vault
is
world.
Is
a
trusted
service
here.
Walt
assumes
the
role
of
whoever
item
user
is
service,
account
on
an
actual
user
and
talks
on
your
behalf
and
gets
the
keys
and
then
encrypts
it
and
stores
it
within
the
world
database
or,
but
someone
still
has
to
pull
those
back
out
right
so
yeah.
A
So
every
client,
you
know,
is
configured
to
work
with
kms
systems,
so
the
client
needs
to
authenticate
itself
with
walt
and
then
vault
gives
you
the
keys
that
you
need
to
talk
to
s3
or
azure
or
google
cloud.
Well
that
that's
if.
B
A
Okay,
now
you
could
write
a
client
yourself
which
does
not
have
it
yes.
However,
that's
what
I've
that's.
A
B
No
no,
no
like,
because
this
all
affects
the
downward
facing
api
right
like
in
the
mode
where
you're
using
vault,
you
don't
give
the
pod
the
the
secret
key,
the
access
key
and
the
secret
you
instead
give
it
some
pointer
to
a
vault
thing.
Then
that's
what
it
consumes.
So
the
idea
is
if,
if
the,
if
the
pod
or
the
user,
the
workload
asks
for
a
bucket
with
the
s3
plus
vault
protocol,
then
they'll
get
something
different.
When
they're
workloading.
A
A
So
far,
what
we've
been
saying
is
we
have
a
copy
of
the
keys
in
our
secret
object,
so
you
know
we
pass
the
keys
along
to
the
workload
and
rotation
also
has
to
be
handled
by
us.
That's
kind
of
how
we've
been
going
so
far.
Well,.
A
A
B
A
D
Where
is
this?
Oh
here.
A
Okay,
so
whenever
you
know
we
create
our
aws
service
account
for
this
service
account,
we
can
allow
itself
to
change
the
text
keys.
A
We
don't
need
to
give
the
rest
of
these
things
and
we
get
users
something
to
give,
but
we
can
allow
itself
to
change
the
access
keys
or
rotate
itself
and
and
again
aws
sdk
clients
already
know
how
to
do
this.
Just
by
default.
B
If
they
have
a
service
account
that
can
authenticate
to
s3
yeah
aws
that
then
we
can
control
it,
but
but
I
mean
no,
no.
I
think
this
is
important
that
in
the
model
we've
created
with
cozy,
you
don't
have
that
right.
The
only
thing
that
has
that
is
the
cozy
driver,
the
only
thing
the
cozy
driver
delegates
to
the
workload
is
the
access
key
and
the
secret
right,
and
and
because
we
wanted
to
be
in
the
middle
of
this
process
right
if
you
want
to
just
give
the
pod
the.
B
A
We
want
to
manage
bucket
life
cycles.
Your
workload
can
do
it
sharing
everything,
however,
rotation
alone
be
something
workloads
could
do
we.
We
could
say
okay,
so
maybe
we
could
say
whatever
access
token
we
provide
through
cosy
and
I'll.
Tell
you
why
I'm
thinking
like
this
auto
access
token
we
provide
through
cozy
is
only
good
enough.
A
It
doesn't
actually
help
you
talk
to
the
backend
itself,
but
it
does
allow
you
to
create
access,
keys
and
access
keys.
For
that
specific
account.
That's
that
that's
something
that
it
lets
you
do,
or
for
that
particular
bucket,
and
so
whatever
we
store.
A
We
have
the
same
thing
in
azure.
We
have
the
same
thing
in
google
cloud
also,
but
do
the
apis
look
identical?
B
Yeah,
that's
what
I'm
getting
at
so
like
an
application
to
perform.
This
function
needs
to
know
what
the
provider
is.
It's
no
longer
portable
to
any
s3
implementation
so
like.
If
you
want
this
functionality
like
you're,
stepping
outside
of
cozy
and
basically
saying
you
know
what
I'm
doing
it
all
myself,
because
I
I
know
I'm
talking
to
amazon
or
I
know
I'm
talking
to
google
and.
E
A
Yeah,
I
know
where
you're
coming
from.
Yes,
I
I
don't
think
you
know
offloading
some
of
our
responsibility
to
the
workloads.
It's
almost
like.
What's
the
point
of
cozy
at
that
point,
well,
for.
E
A
A
If
you
look
at
who
knows
when
exactly
to
expire,
the
credential,
it's
the
workload,
if
you,
if
you,
if
you
go
ahead
and
delete
a
credential
prematurely
and
and
the
workload's
still
using
it,
then
then
you
know
the
workload
stops
getting
access
to
the
data.
Now,
if
you
it's.
A
G
F
A
F
No,
no,
but
I
mean
do
you
know
of
any
you
know,
let's
say
open
source
software
that
uses
that
you
know
includes
rotation
within
its
code
workload
code.
A
B
C
A
Go
ahead!
Sorry,
so
so
to
answer
your
question:
are
there
any
workloads
that
that
do
key
rotation?
I
I
know
that
customers
of
mine,
I
o,
who
basically
have
data
on
the
cloud
and
they're
moving
it
to
my
own
prem
or
doing
the
other
way
they
they
do.
Credential.
A
F
A
A
Yes,
the
application
logic
itself
doesn't
deal
with
that
at
all,
but
credential
providers.
So
what
is
doing
it.
B
A
This
I
mean
getting
into
the
details,
maybe
not,
but
but
I
know
where
you're
coming
from
I
I
agree:
yeah
yeah
it
just
it
just.
B
F
Right,
it
seems
like
you're
saying
that
this
is
a
functionality
that
is
included
within
the
workloads
code,
because
the
sdk
supports
it
right.
Perfect.
No,
that's
good!
It's
a
good
beginning!
I
mean
now
I
understand
more
about
what
you're
saying
so
you're
saying
that
if
I
work
with
this
and
I
configure
it
correctly,
then
I
get
rotation
out
of
the
box
just
using
the
s3
sdk
right
and
then
there's
an
important
reason.
I
brought
it
up.
It's
important
where's
the
policy
by
the
way
when
to
rotate
how
much
to
rotate
whatever.
A
A
You
know
it
comes
with:
every
provider
comes
with
an
expiry.
Let
me
pull
it
up.
A
Have
the
same
concept,
they
have
the
concept
of
you
know
the
expiry.
However,
again
again,
let's
before
we
get
into
this
right,
it
doesn't
matter
I'll.
Tell
you
the
reason
I
brought
up
the
other
one,
it's
because
at
least
it
seems
to
me
and
correct
me.
If
I'm
wrong,
it
seems
to
me
that
the
best
place
to
initiate
the
rotation
is
from
the
workload
side
and
they
don't
have
to
do
it,
but.
A
F
F
You
know
the
configuration
and
all
of
that
like
the
control
right,
it's
it's
mainly
just
the
the
user
application.
Just
saying
do
this
for
me
to.
F
B
So
I
like
this
example
because
I
can
see
a
future
where,
if
we
put
the
right
apis
into
cozy,
like
spark
spark
could
develop
the
integration
to
just
talk
to
cozy
and
make
the
right
thing
happen,
exactly
that's
what
I'm
getting
for
yeah,
okay,
yeah
yeah!
So
so
so
I
that's.
What
I
was
going
to
sort
of
push
forward
too.
Is
we
need
some
sort
of
primitive
that
says
like?
I
would
like
to
rotate
my
key
or.
B
Key
that
you've,
given
me,
will
naturally
expire.
So
I
can
ask
for
the
next
one
and
but
the
implementation
of
like
actually
you
know
deleting
the
old
key
and
adding
the
new
one
has
to
be
somewhere
in
the
middle
either,
either
at
the
cozy
layer
or
at
the
driver
layer
and
we've
we've
been.
E
B
Better
to
do
it
down
in
the
driver
layer
yeah,
I
think
that
still
stands.
Okay,
so
I
I
think
I
agree
with
that,
but
but
I
I
don't
want
to
give
up
the
threat
on
this
vault
thing,
because
you,
you
said
that
this
is
like
widely
supported
and
used.
Yeah
walt
is
very
important.
A
Actually,
it's
used
for
two
things,
so
you
can
do
object
level.
Encryption
like
every
object,
get
it
gets
its
own
encryption
key
or
you
can
do
you
know
access.
You
know.
Client-Side
encryption
to
access.
A
No,
no,
I
don't
think
so.
I
I'll
tell
you
why
that's
completely
a
function
of
the
driver
and
the
back
end
the
the
provisioning
workflow
and
accessing
workflow,
again,
even
even
the
rotation,
maybe
we
initiate
the
rotation
again
from
cosy.
However,
at
the
end
of
the
day,
you
provide
credentials
the
same
way
and
and
it's
just
the
client
is
configured
to
access
the
back
in
slightly
different
way
and
then
again,
every
client
knows
how
to
work
with
what
single
sign
on
simple
token
server.
This
is
process
currency
and
what
that
is.
F
But
the
question
is:
are
you
saying
that
we
are
going
in
a
path
where
cosi
has
an
sdk
inside
the
workload?
Oh
definitely
right
and
then
and
then
we
can
include
in
there
rotation
or
you
know,
even
even
configurations
which
you
know
come
directly
from
the
driver
or
from
from
through
cozy,
basically
to
the
pod
and
the
sdk
is
the
consumer
of
it
and
not
really
the
the
workload
itself
and.
A
A
Sdk
is
a
problem
to
be
honest
because
how
many
languages
are
going
to
write
the
sdkm,
so
yeah
we'll
have
to
think
that
through
so
anyway.
So
so
first
thing
is
for
alpha
or
even
v1.
A
We
can
actually
go
with
simple
credentials
like
access
token
secret
token,
but
this
is
something
we
have
to
support
down
the
line.
I
can
you
know
every
customer
we
have
wants
to.
You
know
they
deploy
kms
most
of
the
times
so.
B
Api
is
defined
in
such
a
way
that
you're
going
to
get
like
a
few
well-known
parameters.
You
know:
here's
the
bucket
name,
here's
the
endpoint
name,
here's
the
here's,
the
access
key,
here's
the
secret;
you
know
yada
yada
down
the
line
and
then
and
then
we
in
the
future.
We
say:
oh
well,
now
now
you're
going
to
use
vault
to
get
your
keys.
A
A
E
B
Vault
requires
like
how
do
you
talk
to
vault?
Do
you
need
an
ip
address?
Do
you
need?
Do
you
need
a
a
certificate?
Do
you
need
to
what
do
you
need
to
talk
to
it?
Okay,
whatever
you,
whatever
you,
do,
need
we're
on
the
hook
for
providing.
A
Okay,
so
this
is
where
a
certain
kind
of
keyboard
applies
to.
You
know
all
kinds
of
keys
using
walt,
so.
A
Okay,
so
what
is
a?
What
is
a
encrypted
database
that
that
stores,
your
keys
for
you,
it
can
be
encryption
keys,
can
be
access
tokens,
any
kind
of
secret.
B
So
if
I'm
a
kubernetes
admin,
I
have
my
own
instance
of
vault
that
I
am
maintaining
yes
and
that
I
have
pointed
my
cozy
drivers
to
say
use
this
like
so
so
then
the
only
way
that
a
workload
could
ever
find
out
about
it
is
if
we
provided
the
details
to
my
instance
of
vaults
directly
to
the
pod.
Yes,
so
like
these
are.
F
We
can
also
get
the
keys
from
like
to
to
the
volume
I
mean
to
the
pod
from
vault.
If
that's
the
integration
needed,
I
mean,
I
think,
if,
if
we're
trying
to
add
more
plugins
into
into
cozy
this
way
that
it
supports
more
features,
it
doesn't
mean
that
we
have
to
change
the
the
down
downward
facing
api.
It's
just.
B
F
B
I
I
actually
like
all
these.
I
think
this
is
a
great
future
thing
to
add
right.
I
just
want
to
make
sure
that
we
add
it
in
a
way
where,
like,
if
I
wrote
my
let's
say
we
weren't
going
alpha
beta
ga.
Let's
say
we
was
v1,
v2,
v3
and
so
we're
working
on
v1
right
now
and
if
somebody
consumes
v1
and
then
we
add
v2
with
more
stuff
like
there
should
be
a
path
to
basically
say
migration.
I
I
need
v1
support.
A
A
F
F
B
Right
but
but
the
the
the
how
you
do
that
I
mean
this
is
the
handshake
between
kubernetes
and
the
and
the
the
workload
is.
These
are
the
details
you
need
to
talk
to
your
bucket
and
if,
if
we,
if
we
at
some
point
stop,
including
the
access
key
and
secret
key,
instead
give
you
a
pointer
to
a
vault
server
where
you
can
go,
get
them
like
now,
my
application
has
to
change
to
consume
that
so
like
it's.
There.
G
Is
there
is
a
there
was
a
pod
series
controlling
feature
that
actually.
G
There
is,
there
is
a
feature
called
a
part.
G
Token
that
actually
has
integration
with
the
vault.
Without
there
is
a
secrets
there
is
a
secret
store,
scissor
driver.
A
B
F
F
I'm
not
saying
like:
no,
you
don't.
No,
you
don't.
You
don't
have
to
why.
It
really
depends
on
how
your
application
consumes
the
key.
Doesn't
the
key
doesn't
can
be
a
file
right
for
that
same
matter,
right
and
vault
is,
is
just
invisible
just
you
just
have
your
file
appear
in
in
the
pod
for
your
workload,
it's
not
that.
F
B
A
B
It
has
no,
but
so
so
this
is
where
I
think
we're
getting
confused
like
there
is
no
kms
in
s3,
like
s3,
is
an
http
protocol
with
some
gets
and
some
puts
and
some
special
headers
and
like
that's
it,
that's
what
s3
is
like
the
moment.
You
say
you
must
talk
to
this
kms
server,
you've
you're,
not
talking
s3
anymore,
you're,
talking
a
new
protocol.
I
see
right
now,
you're
saying
you're
saying
that
we're
actually
enforcing
kms,
even
though
it
didn't.
B
E
A
We've
designed
our
apis,
as
if
you
know
we
talked
about
two
forms
of
authentication,
one
is
tokens,
access,
keys
and
secret
keys,
and
the
other
was
I
am
we
just
kind
of
said.
I
am,
and
it
was
a
black
box
all
this
well
that
that
I
am
what
we
assumed
was
there's
going
to
be
some
way
to
associate
a
particular
part
of
the
particular
service
account
yeah.
That's
where
this
comes
in
we're
associating
a
particular
part
with
a
particular
account
where
you
know
in
in
vault
and
wall.
E
B
B
A
Yeah
yeah
so
minaj
has
it
steph
has
it
so
so
the
idea
is,
if
you
don't
have
all
the
integration,
then
you
could
you
can't
do
this
form
of
authentication.
It's
it's
like
saying.
Access.
B
B
Say
ldap,
then
you
know
so
so
if
I
write
like
ben's
cozy
implementation,
that
just
does
s3
and
not
vault,
and
you
take
your
workload
that
expects
to
use
vault
and
you
you
create
a
a
bucket
class
that
that
says
that
says
you
know,
use
the
vault
integration
and
then
you
create
a
bucket,
and
then
it
comes
to
my
cozy
driver.
My
cozy
driver
says
I
don't
know
how
to
do
that.
Then
cell
display
all
right.
Okay,.
A
So
so
any
client,
any
client
that
that
runs
in
the
cloud
always
uses
its
credential
chain
rather
than
a
credential
method.
What
that
means
is
it
first
looks
for
environment
variables.
Then
it
looks
for
you
know.
If
it's
running
on
a
particular
cloud
resource
like
ec2
instance
or
rds
or
whatever,
then
it
looks
for
other
forms
of
access
like
credential
files
and
then
and
then
it's
always
a
chain.
It's
never
a
single
methodology.
Unless
you
hard
coded,
like
you,
have
to
go
out
of
your
way
to
make
it
that
way.
A
B
You're
talking
about
the
widely
available
sdks
for
f4
s3,
right
right,
right,
okay,
so,
but
again
like
do
we
want
to
require
somebody
uses
one
of
the
widely
available
sdks
or
do
we
just
want
to
say
we
support
s3
period
with
without
an
sdk,
but
I
get
what
I'm
worried
is
like
we're
slipping
in
secret
requirements
here.
So
let
me
let.
A
B
Is
by
doing
a
bunch
of
cryptographic,
calculations
and
sticking
some
http
headers
in
their.
F
Requests
the
authentication
of
when
you,
when
you
send
the
request,
you
have
authorization,
header
or
something
like
a
signed,
request
right
and
the
request
is
self
assigned
and
and
then
the
only
connection
that
you
have
in
the
request
itself
is
the
access
key.
Where
you
can,
then
you
know
have
in
your
system
an
iam
to
represent
that
or
use
you
know
any
public
iam
for
that.
But
the
iam
itself
is
not
part
of
s3.
It's
not
needed
to
the
signature
itself,
the
authentication
to
that
specific
identity.
But
that's.
B
A
Yeah
signatures
for
objects
themselves,
so
the
the
signature
changes
per
request
say
based
on
whatever
your
object
path
is,
but
the
signature
is
not
authentication
or
authorization.
A
Signature
just
ensures
that
you
you
you
who
signed
the
signature
are
actually
authorized
or
are
actually
the
same
person
that
that's
that's
supposed
to
you
know
or
not.
Even.
A
B
B
So
so,
okay,
I'm
good,
but
I
was
going
to
say:
that's
all
that,
like
you
have
to
do
to
to
claim
s3
compatibility.
Anything
else
is
sdk
magic
to
make
your
life
easier,
but,
like
I
didn't
think
we
were
going
to
require
someone
to
have
any
of
that
magic.
I
thought
we
were
just
going
to
say:
look,
these
are
the
basic
inputs.
You
need
to
do
the
s3
thing
and
the
rest
of
it.
You
know
you're
on
your
own.
Okay,.
A
Okay,
I
I
I
like
that
too.
That's
that's!
That's
where
we
we
should
be
so
you
know
we
got
into
kms
just
now,
because
kms
is
something
people
use
and
I'll.
Tell
you
the
real
reason.
People
get
use
camera,
it's
it's
not
for
credential
rotation.
They
use
it
for
encryption,
server,
side,
encryption
and
also
client-side
encryption.
A
So
for
server-side
encryption,
a
client
just
uploads
an
object
as
if
it
doesn't
know
if
there's
encryption
or
not,
but
for
each
object.
The
server
talks
to
the
kms
gets
a
new
key
for
that
object.
So
it's
a
different
key
for
each
object,
gets
a
new
key
uses
that
to
encrypt
and
then
and
then
responds
to
the
client,
saying
it's
written
so
for
the
client
it's
transparent,
but
then,
on
the
server
side,
every
object
is
encrypted.
A
B
A
So
for
server
side
we
don't
do
anything,
it's
it's
completely
transparent
to
the
client.
It
doesn't
even
have
to
know
it's
encrypted
or
not
on
the
other
side,
but
for
client
side.
The
server
doesn't
have
to
know
about
what
for
client
side.
The
client
talks
to
walt
gets
a
key
uses
that
to
encrypt
the
object
and
puts
it
there
so
so
for
this.
A
F
A
E
B
A
That
the
client
has
to
know
yes,
for
that
walt
has
to
know
the
back
end
s3.
Yes,.
B
B
B
All
the
the
end-to-end
handshaking
to
see
if
if
vault
is
going
to
work
or
not
right,.
A
It
needs
to
be
worked
or
agreed,
but
but
even
before
we
go,
I
think
that's
something
that
we
do
post
alpha
in
this.
We
can
start
working
on
now,
but
we
start
implementing
post
alpha,
but
even
before
that
we
have
to.
We
have
to
go
back
to
this
question
of
so
we've
been
talking
about
kms
based
authentication.
A
B
It
but,
but
I
thought
that
the
direction
you
were
going
with
all
of
this
was
that
like,
if
you
want
rotation
the
right
way
to
get
it
is
through
vault
yeah.
That's
that's!
That's
my
inclination
to
be
honest,
yeah
and
then
we
could
say
like
if
you
don't
support
vault
you're,
just
sol,
and
you
know
you
can
have
one
key
and
one
or
one
access
key
and
one
secret
for
the
lifetime
of
your
workload
and
and
that's
it
yeah
and
we
just
don't
offer
rotation
unless
you
go
with
this
better
way.
Yeah
yeah
yeah!
B
B
So
so,
if
I'm
trying
to
invent
like
a
new
s3
implementation,
then
I
have
to
find
a
way
to
make
vault
talk
to
my
thing,
either
by
faking
one
of
the
existing
apis
or
by
I
don't
know
what
you
could
do
like.
Can
you.
A
So
in
the
download
api
we
should,
we
should
give
we
should.
We
should
clearly
say
this
uses
walt,
or
this
uses
just
manual
keys,
access,
keys
and
secret
keys.
And
let's.
B
Say
yeah,
I
think
we're
agreed
on
that
there's!
No
there's!
No
disagreement
about
that.
The
problem
is,
is
a
cozy
implementer
who
wants
to
write
a
new
driver
for
like
and
and
just
full
disclosure
like,
I
don't
know
what
netapp
does
here.
I
know
netapp
wants
to
have
cozy
drivers.
I
have
no
idea
how
we
do
rotation
but
like
I'm
pretty
sure
that,
like
vault,
doesn't
have
a
negative
native
integration
with
what
netapp's
s3
implementation
right
so
so,
like
I'm
trying
to
figure
out
is
when
netapp
wants
to
write
the
their
s3
compatible.
A
So
you're
saying
we're
hard
coding
it
to
walt
so
rather
than
walt
kms
is
the
actual
integration.
So
I
believe,
there's
a
there's
a
standard
kms
protocol
because
I
know
within
io
we
just
support
kms.
Most
of
the
people
end
up
deploying
vault,
but
our
integration
is
a
kms
api.
I
have
to
find
out
what
it
is.
B
C
B
And
at
that
point
is,
are
we
adding
a
lot
of
value
if,
if
the,
if
the
whole
function
of
the
credential
minting,
has
been
sort
of
off
or
offloaded
onto
the
kms
and
like
what's
what
function
is
cosi?
Providing
at
that
point
it's
it's
saying
I
create
my
bar
and
I
I
get
something
in
response
to
that,
but
like
the
something
I
get
is
just
basically
a
promise
that
I'm
gonna
be
able
to
talk
to
a
kms
to
get
the
actual
key.
F
A
So
the
application
again,
it's
all
from
the
sdk,
the
sdk
does
it
the
sdk
uses
kms
to
get
the
latest
set
of
keys
or
the
sdk
uses
the
kms
to
encrypt
whatever
object
it
writes
to
the
back
end.
Encryption
is
not
something
we
have
to
talk
about
right
now.
Go
ahead.
B
But
furthermore,
like
when
the
application
gets
the
keys
like
so
that
the
the
thing
it
gets
it
from
has
to
put
the
keys
on
the
actual
server
or
talk
to
the
actual
server
to
get
the
keys
from
it
to
put
into
the
so
you
mean
the
storage
system,
the
storage
yeah.
The
storage
system
has
to
agree
with
the
kms
on
what
the
key
is,
and
I
don't
know
if
that's
a
push
or
a
poll
or
something
talking
on
the
side
to
both
right
yeah.
So.
H
D
F
A
Service
yeah,
so
so
this
always
comes
with
an
expiry.
This
is
unlike
access,
keys
and
secret
keys.
F
E
B
F
B
H
Look
at
the
link
I
posted
from
the
chat.
This
is
a
a
new.
It's
a
triplet
of
access,
key
secret
key
token
right.
H
Yeah,
so
it's
interesting
why
they?
They
they
introduced
the
session
token,
instead
of
just
making
the
secret
key
temporary
right,
but
I
think
it's
because
they
wanted
to
make
make
a
clear
cut
between
the
what's:
they
call
the
static
applications
and
the
dynamic
applications.
H
So
if
you
use
a
token
basically
it
means
you
have
an
expiration
time.
B
B
How
do
you
get
to
how
does
the
token
figure
into
the
into
the
signature
algorithm.
H
H
A
Yeah
every
sdk
supports
it.
You
know,
I
think
even
I
was
showing
it
earlier.
So
if
you
see
here
I'll
show
you
static
provider,
access,
key
security
and
token
yep,
so.
H
So
for
me
for
me,
when
you
meet,
because
I
actually
wrote
cozy
driver
already.
H
Yeah,
it's
working,
you
know,
so
it's
working
with
account
codes.
H
So
today
we
return
basically
access
key
and
secret
key
into
inside
within
the
file
for
actually
a
temporary
volume
is
mounted
inside
the
pod,
you
know
and
then
the
application
can
consume
it.
Just
like
it
was
a
special
amazon,
credential
files,
for
instance,.
H
H
So
did
this
part
this
part
would
work,
I
mean
in
a
very
straightforward
way,
but
then
who
could?
Who
would
do
the
refresh
yeah?
That's
the
that's
the
point.
The
last
time.
I
don't
know
if
you
were
here,
but
we
discussed
that
probably
those
keys.
They
are
going
to
be
used
for
at
least
one
day
or
a
couple
of
hours
one
day,
one
week
month
and
designing
a
system
which
basically
refreshes
keys
every
minute,
and
so
I
think
it's
not
the
goal
so
ideally
yeah
good.
H
I
mean
I
I
I
may
be
wrong,
but
ideally
you
would
typically
in
your
deployment
file.
You
would
say
I
need
a
key
for
one
month,
because
I
got
a
project
like
a
big
data
project
for
one
month
and
please
give
me
so
the
three
players
access
key,
so
the
secret
key
token
or
whatever
equivalent
in
the
cloud.
You
use
the
system.
H
You
use
your
application
work
for
one
month
and
suddenly
you
need
to
so
you
you
need
more
time
because,
let's
say
the
project,
you
need
one
one
more
month
to
to
work
on
your
project.
So
it's
a
bit
stupid
to
destroy
the
deployment
and
redeploy.
A
Right,
so,
if
you
see
the
api,
I've
shown
right
here.
First
of
all,
the
token
itself
is
generated
by
the
sdk,
the
client
sdk.
The
application
is
decay
as
written
here
and
then
the
refresh
also
is
called
by
the
client.
A
So
the
sdk-
you
you
when
you,
when
you
start
you
you
in
your
credential
chain.
You'll
also
put
you
know,
sts
session
credentials
provided
along
with
the
other.
Whatever
you
have,
and
then
you
when
you,
when
you
call
that
credentials
provider
you
also
set
default
duration
seconds
or
how
long
this
is
supposed
to
be
active
and
based
on
whatever
you've
said,
it'll
automatically
go
refresh.
It.
H
No
because
this
is
this
is
a
cooked.
You
know
it's
not
really
a
native
the
truth
is
you
can't
really
refresh
it
yeah?
No,
but
it's
it's
some
convenience
code.
That
does
it
in
your
back.
I
see,
but
in
fact
the
only
way
to
refresh
is
to
generate
a
new
one
right,
but
you
you'll
find,
for
instance,
in
some
python
libraries
and
stuff
like
convenience
code,
to
do
that
in
your
back
for
you
transparently
right,
but
in
fact
you
can
I'm
pretty
sure
you
cannot
refresh
your
token.
H
Yeah
you
see
if
you
use,
if
you
use
like
a
convenience
api.
H
Typically,
there
are
plenty
bottle
three
python
stuff
like
that:
they,
when
they
monitor
the
expression
time
and
when
it's
about
to
expire,
they
generate
a
new
token
in
your
back
and
they
make
sure
the
application
is,
can
transparently
access.
But.
F
B
Actually
refresh,
but
how
do
they
get
access
to
generate
a
new
one?
Don't
they
need
another
credential.
H
H
Humor
role,
you
you
know
in
in
amazon,
actually.
A
Yeah
yeah,
so
so
let
me
ask
you
this.
So
if
I
have
access
key
and
secret
key,
so
this
is
the
photo
class
you're
talking
about
this
is
the
go
to
class,
so
you
can
use
the
access
key
secret
key
to
create
a
token
and
you
set
the
expiry
expiry
time
on
it
and
and
the
bottles
client,
so
it
uses
the
assume
roll
request.
So
what
is
the
assume
rule
request.
H
Instead
of
giving
you
static
credentials
to
to
perform
action
policies,
you
simply
establish
a
trust
relationship.
So
we
trust
you
enough
to
recognize
you
and
we
give
you
a
temporary
policy
to
perform
the
actions,
but
it's
potentially
be
revoked,
especially
the
action
policy
changes
over
time
or,
if
you're,
not
part
of
the
organization
again
so
the
first
time
you
call
assume
role,
you
come
with
your
actual
existing
credentials,
your
static
access
key
or
it
may
also
come
from
a
third
party,
so
typically
a
summer
or
oigc
or
another
level
of
trust
establishment.
H
F
H
H
At
least
three
or
four
flavors,
you
have
assume
all
web
identity.
Typically,
you
come
with
your
oigc
identity.
You
have.
H
Samo,
you
have
a
small
you,
you
come
with
with
an
external
identity.
B
You
mean
it,
but
if
you
don't
mind,
I
want
to
interrupt
and
and
make
a
time
check,
because
I
have
a
meeting
at
the
top
of
the
hour.
B
So
so
this
is
all
I
mean
I
I
like
where
this
is
going,
but
I
want
to
keep
our
eye
on
the
the
goal
of
what
what
do
we
need
to
get
for
alpha
and
like
the
thing
that
makes
me
nervous
about
this
whole
discussion
is
like
where
it
feels
like
we're,
sneaking
in
more
and
more
requirements
on
things
that
are
not
actually
s3,
and
so
I
just
want
to
make
sure
that
we're
careful
about
like
we
have
a
mode
that
just
works
with
s3,
and
then
we
have
special
extensions,
and
this
feels
like
a
great
example
of
an
extension
we
really
do
want
to
implement
and
we
have
to
just
think
about
how
do
we?
B
How
does
it
work
within
without
the
extension
and
then
what
additional
requirements
are?
Are
there
if
you
want
to
support
this
extension
and
are
those
reasonable
requirements
to
impose
on
you
know,
on
applications
and
on
storage
systems
and
on
drivers,
and
you
know
all
the
different
layers
so
so
we
should
have
a
specific
discussion
about
this
particular
extension,
but
I
don't
want
to
tangle
up
the
basic
you
know:
how
do
we
do
bars
and
bas
with
with
this
necessarily.
F
And
isn't
it
just
easier
to
ask
the
to
have
something
in
the
sdk
in
the
workload
to
just
reload?
This
from
you
know
from
the
volume
and
that's
it
I
mean,
are
we
really
trying
to
make
all
of
these
pods
really
have
a
refresh
policy
other
than
reloading
a
file?
Is
that
does
this.
B
I,
like
the
idea
of
the
cozy
driver,
actually
doing
all
of
this.
This
light,
this
heavy
lifting
and
refreshing
your
keys
and
just
having
a
way
for
the
containers
to
know
that,
when
it's
time
for
them
to
go
reload
their
credentials.
This
is
this
is
where
this
is
the
time
stamp,
and-
and
this
is
the
experience
you
just
reload
when
the
timestamp
expires,
and
that
would
be
another
way
to
do
it.
I.
H
I
think
what
is
required
and
what
would
be
great,
is
simply
to
have
a
new
method
in
cozy
to
ask
the
driver
to
do
the.
As
you
said,
the
heavy
lifting
and
refresh
and
all
but
give
the
possibility
of
the
driver
to
force
a
a
refresh
of
the
volume
inside
the
pods.
F
B
F
B
Why
I
thought
maybe
bas
were
right
once
kind
of
objects
where
you
you
populate
them,
and
then
you
can't
change
them,
because
that's
how
a
lot
of
things
are.
If
the
intention
is
bas
or
right,
many
or
you
can
write
to
them
and
then
write
to
them
and
write
to
them
and
every
time
you
write
to
them
the
the
note
adapter
reads
it
and
updates
everything
that
needs
to
be
updated.
Maybe
that's
a
working
model
and
I
like
that,
if.
F
It's
not
so
the
point
is,
I
think,
if
it's
not,
then
we
cannot
deliver
through
through
a
volume,
a
changed
information
right
to
a
running
pod.
We
will
have
to
you,
know,
take
down
the
pod
and
then
have
have
it
mount
a
different
bar.
A
I
agree:
let's
continue
on
on
thursday,
if
you,
if
you
can,
if
you
can
go
back
and
look
at
how
you
know
ben
look
at
how
netapp
does
it
guy
look
at
how
nuba
or
seth
does
it
that
would
be
really
useful
for
the
next
discussion.