20 files changed, 2662 insertions, 0 deletions
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/assume_role.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/assume_role.go
new file mode 100644
index 0000000..800c4a2
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/assume_role.go
@@ -0,0 +1,242 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2020 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "bytes"
+        "crypto/sha256"
+        "encoding/hex"
+        "encoding/xml"
+        "errors"
+        "io"
+        "net/http"
+        "net/url"
+        "strconv"
+        "strings"
+        "time"
+        "github.com/minio/minio-go/v7/pkg/signer"
+)
+// AssumeRoleResponse contains the result of successful AssumeRole request.
+type AssumeRoleResponse struct {
+        XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleResponse" json:"-"`
+        Result           AssumeRoleResult `xml:"AssumeRoleResult"`
+        ResponseMetadata struct {
+                RequestID string `xml:"RequestId,omitempty"`
+        } `xml:"ResponseMetadata,omitempty"`
+}
+// AssumeRoleResult - Contains the response to a successful AssumeRole
+// request, including temporary credentials that can be used to make
+// MinIO API requests.
+type AssumeRoleResult struct {
+        // The identifiers for the temporary security credentials that the operation
+        // returns.
+        AssumedRoleUser AssumedRoleUser `xml:",omitempty"`
+        // The temporary security credentials, which include an access key ID, a secret
+        // access key, and a security (or session) token.
+        //
+        // Note: The size of the security token that STS APIs return is not fixed. We
+        // strongly recommend that you make no assumptions about the maximum size. As
+        // of this writing, the typical size is less than 4096 bytes, but that can vary.
+        // Also, future updates to AWS might require larger sizes.
+        Credentials struct {
+                AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`
+                SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`
+                Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
+                SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
+        } `xml:",omitempty"`
+        // A percentage value that indicates the size of the policy in packed form.
+        // The service rejects any policy with a packed size greater than 100 percent,
+        // which means the policy exceeded the allowed space.
+        PackedPolicySize int `xml:",omitempty"`
+}
+// A STSAssumeRole retrieves credentials from MinIO service, and keeps track if
+// those credentials are expired.
+type STSAssumeRole struct {
+        Expiry
+        // Required http Client to use when connecting to MinIO STS service.
+        Client *http.Client
+        // STS endpoint to fetch STS credentials.
+        STSEndpoint string
+        // various options for this request.
+        Options STSAssumeRoleOptions
+}
+// STSAssumeRoleOptions collection of various input options
+// to obtain AssumeRole credentials.
+type STSAssumeRoleOptions struct {
+        // Mandatory inputs.
+        AccessKey string
+        SecretKey string
+        SessionToken string // Optional if the first request is made with temporary credentials.
+        Policy       string // Optional to assign a policy to the assumed role
+        Location        string // Optional commonly needed with AWS STS.
+        DurationSeconds int    // Optional defaults to 1 hour.
+        // Optional only valid if using with AWS STS
+        RoleARN         string
+        RoleSessionName string
+        ExternalID      string
+}
+// NewSTSAssumeRole returns a pointer to a new
+// Credentials object wrapping the STSAssumeRole.
+func NewSTSAssumeRole(stsEndpoint string, opts STSAssumeRoleOptions) (*Credentials, error) {
+        if stsEndpoint == "" {
+                return nil, errors.New("STS endpoint cannot be empty")
+        }
+        if opts.AccessKey == "" || opts.SecretKey == "" {
+                return nil, errors.New("AssumeRole credentials access/secretkey is mandatory")
+        }
+        return New(&STSAssumeRole{
+                Client: &http.Client{
+                        Transport: http.DefaultTransport,
+                },
+                STSEndpoint: stsEndpoint,
+                Options:     opts,
+        }), nil
+}
+const defaultDurationSeconds = 3600
+// closeResponse close non nil response with any response Body.
+// convenient wrapper to drain any remaining data on response body.
+//
+// Subsequently this allows golang http RoundTripper
+// to re-use the same connection for future requests.
+func closeResponse(resp *http.Response) {
+        // Callers should close resp.Body when done reading from it.
+        // If resp.Body is not closed, the Client's underlying RoundTripper
+        // (typically Transport) may not be able to re-use a persistent TCP
+        // connection to the server for a subsequent "keep-alive" request.
+        if resp != nil && resp.Body != nil {
+                // Drain any remaining Body and then close the connection.
+                // Without this closing connection would disallow re-using
+                // the same connection for future uses.
+                //  - http://stackoverflow.com/a/17961593/4465767
+                io.Copy(io.Discard, resp.Body)
+                resp.Body.Close()
+        }
+}
+func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssumeRoleOptions) (AssumeRoleResponse, error) {
+        v := url.Values{}
+        v.Set("Action", "AssumeRole")
+        v.Set("Version", STSVersion)
+        if opts.RoleARN != "" {
+                v.Set("RoleArn", opts.RoleARN)
+        }
+        if opts.RoleSessionName != "" {
+                v.Set("RoleSessionName", opts.RoleSessionName)
+        }
+        if opts.DurationSeconds > defaultDurationSeconds {
+                v.Set("DurationSeconds", strconv.Itoa(opts.DurationSeconds))
+        } else {
+                v.Set("DurationSeconds", strconv.Itoa(defaultDurationSeconds))
+        }
+        if opts.Policy != "" {
+                v.Set("Policy", opts.Policy)
+        }
+        if opts.ExternalID != "" {
+                v.Set("ExternalId", opts.ExternalID)
+        }
+        u, err := url.Parse(endpoint)
+        if err != nil {
+                return AssumeRoleResponse{}, err
+        }
+        u.Path = "/"
+        postBody := strings.NewReader(v.Encode())
+        hash := sha256.New()
+        if _, err = io.Copy(hash, postBody); err != nil {
+                return AssumeRoleResponse{}, err
+        }
+        postBody.Seek(0, 0)
+        req, err := http.NewRequest(http.MethodPost, u.String(), postBody)
+        if err != nil {
+                return AssumeRoleResponse{}, err
+        }
+        req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+        req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(hash.Sum(nil)))
+        if opts.SessionToken != "" {
+                req.Header.Set("X-Amz-Security-Token", opts.SessionToken)
+        }
+        req = signer.SignV4STS(*req, opts.AccessKey, opts.SecretKey, opts.Location)
+        resp, err := clnt.Do(req)
+        if err != nil {
+                return AssumeRoleResponse{}, err
+        }
+        defer closeResponse(resp)
+        if resp.StatusCode != http.StatusOK {
+                var errResp ErrorResponse
+                buf, err := io.ReadAll(resp.Body)
+                if err != nil {
+                        return AssumeRoleResponse{}, err
+                }
+                _, err = xmlDecodeAndBody(bytes.NewReader(buf), &errResp)
+                if err != nil {
+                        var s3Err Error
+                        if _, err = xmlDecodeAndBody(bytes.NewReader(buf), &s3Err); err != nil {
+                                return AssumeRoleResponse{}, err
+                        }
+                        errResp.RequestID = s3Err.RequestID
+                        errResp.STSError.Code = s3Err.Code
+                        errResp.STSError.Message = s3Err.Message
+                }
+                return AssumeRoleResponse{}, errResp
+        }
+        a := AssumeRoleResponse{}
+        if _, err = xmlDecodeAndBody(resp.Body, &a); err != nil {
+                return AssumeRoleResponse{}, err
+        }
+        return a, nil
+}
+// Retrieve retrieves credentials from the MinIO service.
+// Error will be returned if the request fails.
+func (m *STSAssumeRole) Retrieve() (Value, error) {
+        a, err := getAssumeRoleCredentials(m.Client, m.STSEndpoint, m.Options)
+        if err != nil {
+                return Value{}, err
+        }
+        // Expiry window is set to 10secs.
+        m.SetExpiration(a.Result.Credentials.Expiration, DefaultExpiryWindow)
+        return Value{
+                AccessKeyID:     a.Result.Credentials.AccessKey,
+                SecretAccessKey: a.Result.Credentials.SecretKey,
+                SessionToken:    a.Result.Credentials.SessionToken,
+                SignerType:      SignatureV4,
+        }, nil
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/chain.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/chain.go
new file mode 100644
index 0000000..ddccfb1
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/chain.go
@@ -0,0 +1,88 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+// A Chain will search for a provider which returns credentials
+// and cache that provider until Retrieve is called again.
+//
+// The Chain provides a way of chaining multiple providers together
+// which will pick the first available using priority order of the
+// Providers in the list.
+//
+// If none of the Providers retrieve valid credentials Value, ChainProvider's
+// Retrieve() will return the no credentials value.
+//
+// If a Provider is found which returns valid credentials Value ChainProvider
+// will cache that Provider for all calls to IsExpired(), until Retrieve is
+// called again after IsExpired() is true.
+//
+//      creds := credentials.NewChainCredentials(
+//          []credentials.Provider{
+//              &credentials.EnvAWSS3{},
+//              &credentials.EnvMinio{},
+//          })
+//
+//      // Usage of ChainCredentials.
+//      mc, err := minio.NewWithCredentials(endpoint, creds, secure, "us-east-1")
+//      if err != nil {
+//           log.Fatalln(err)
+//      }
+type Chain struct {
+        Providers []Provider
+        curr      Provider
+}
+// NewChainCredentials returns a pointer to a new Credentials object
+// wrapping a chain of providers.
+func NewChainCredentials(providers []Provider) *Credentials {
+        return New(&Chain{
+                Providers: append([]Provider{}, providers...),
+        })
+}
+// Retrieve returns the credentials value, returns no credentials(anonymous)
+// if no credentials provider returned any value.
+//
+// If a provider is found with credentials, it will be cached and any calls
+// to IsExpired() will return the expired state of the cached provider.
+func (c *Chain) Retrieve() (Value, error) {
+        for _, p := range c.Providers {
+                creds, _ := p.Retrieve()
+                // Always prioritize non-anonymous providers, if any.
+                if creds.AccessKeyID == "" && creds.SecretAccessKey == "" {
+                        continue
+                }
+                c.curr = p
+                return creds, nil
+        }
+        // At this point we have exhausted all the providers and
+        // are left without any credentials return anonymous.
+        return Value{
+                SignerType: SignatureAnonymous,
+        }, nil
+}
+// IsExpired will returned the expired state of the currently cached provider
+// if there is one. If there is no current provider, true will be returned.
+func (c *Chain) IsExpired() bool {
+        if c.curr != nil {
+                return c.curr.IsExpired()
+        }
+        return true
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/config.json.sample b/vendor/github.com/minio/minio-go/v7/pkg/credentials/config.json.sample
new file mode 100644
index 0000000..d793c9e
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/config.json.sample
@@ -0,0 +1,17 @@
+{
+        "version": "8",
+        "hosts": {
+                "play": {
+                        "url": "https://play.min.io",
+                        "accessKey": "Q3AM3UQ867SPQQA43P2F",
+                        "secretKey": "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG",
+                        "api": "S3v2"
+                },
+                "s3": {
+                        "url": "https://s3.amazonaws.com",
+                        "accessKey": "accessKey",
+                        "secretKey": "secret",
+                        "api": "S3v4"
+                }
+        }
+}
+\ No newline at end of file
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.go
new file mode 100644
index 0000000..af61049
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.go
@@ -0,0 +1,193 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "sync"
+        "time"
+)
+const (
+        // STSVersion sts version string
+        STSVersion = "2011-06-15"
+        // How much duration to slash from the given expiration duration
+        defaultExpiryWindow = 0.8
+)
+// A Value is the AWS credentials value for individual credential fields.
+type Value struct {
+        // AWS Access key ID
+        AccessKeyID string
+        // AWS Secret Access Key
+        SecretAccessKey string
+        // AWS Session Token
+        SessionToken string
+        // Signature Type.
+        SignerType SignatureType
+}
+// A Provider is the interface for any component which will provide credentials
+// Value. A provider is required to manage its own Expired state, and what to
+// be expired means.
+type Provider interface {
+        // Retrieve returns nil if it successfully retrieved the value.
+        // Error is returned if the value were not obtainable, or empty.
+        Retrieve() (Value, error)
+        // IsExpired returns if the credentials are no longer valid, and need
+        // to be retrieved.
+        IsExpired() bool
+}
+// A Expiry provides shared expiration logic to be used by credentials
+// providers to implement expiry functionality.
+//
+// The best method to use this struct is as an anonymous field within the
+// provider's struct.
+//
+// Example:
+//
+//      type IAMCredentialProvider struct {
+//          Expiry
+//          ...
+//      }
+type Expiry struct {
+        // The date/time when to expire on
+        expiration time.Time
+        // If set will be used by IsExpired to determine the current time.
+        // Defaults to time.Now if CurrentTime is not set.
+        CurrentTime func() time.Time
+}
+// SetExpiration sets the expiration IsExpired will check when called.
+//
+// If window is greater than 0 the expiration time will be reduced by the
+// window value.
+//
+// Using a window is helpful to trigger credentials to expire sooner than
+// the expiration time given to ensure no requests are made with expired
+// tokens.
+func (e *Expiry) SetExpiration(expiration time.Time, window time.Duration) {
+        if e.CurrentTime == nil {
+                e.CurrentTime = time.Now
+        }
+        cut := window
+        if cut < 0 {
+                expireIn := expiration.Sub(e.CurrentTime())
+                cut = time.Duration(float64(expireIn) * (1 - defaultExpiryWindow))
+        }
+        e.expiration = expiration.Add(-cut)
+}
+// IsExpired returns if the credentials are expired.
+func (e *Expiry) IsExpired() bool {
+        if e.CurrentTime == nil {
+                e.CurrentTime = time.Now
+        }
+        return e.expiration.Before(e.CurrentTime())
+}
+// Credentials - A container for synchronous safe retrieval of credentials Value.
+// Credentials will cache the credentials value until they expire. Once the value
+// expires the next Get will attempt to retrieve valid credentials.
+//
+// Credentials is safe to use across multiple goroutines and will manage the
+// synchronous state so the Providers do not need to implement their own
+// synchronization.
+//
+// The first Credentials.Get() will always call Provider.Retrieve() to get the
+// first instance of the credentials Value. All calls to Get() after that
+// will return the cached credentials Value until IsExpired() returns true.
+type Credentials struct {
+        sync.Mutex
+        creds        Value
+        forceRefresh bool
+        provider     Provider
+}
+// New returns a pointer to a new Credentials with the provider set.
+func New(provider Provider) *Credentials {
+        return &Credentials{
+                provider:     provider,
+                forceRefresh: true,
+        }
+}
+// Get returns the credentials value, or error if the credentials Value failed
+// to be retrieved.
+//
+// Will return the cached credentials Value if it has not expired. If the
+// credentials Value has expired the Provider's Retrieve() will be called
+// to refresh the credentials.
+//
+// If Credentials.Expire() was called the credentials Value will be force
+// expired, and the next call to Get() will cause them to be refreshed.
+func (c *Credentials) Get() (Value, error) {
+        if c == nil {
+                return Value{}, nil
+        }
+        c.Lock()
+        defer c.Unlock()
+        if c.isExpired() {
+                creds, err := c.provider.Retrieve()
+                if err != nil {
+                        return Value{}, err
+                }
+                c.creds = creds
+                c.forceRefresh = false
+        }
+        return c.creds, nil
+}
+// Expire expires the credentials and forces them to be retrieved on the
+// next call to Get().
+//
+// This will override the Provider's expired state, and force Credentials
+// to call the Provider's Retrieve().
+func (c *Credentials) Expire() {
+        c.Lock()
+        defer c.Unlock()
+        c.forceRefresh = true
+}
+// IsExpired returns if the credentials are no longer valid, and need
+// to be refreshed.
+//
+// If the Credentials were forced to be expired with Expire() this will
+// reflect that override.
+func (c *Credentials) IsExpired() bool {
+        c.Lock()
+        defer c.Unlock()
+        return c.isExpired()
+}
+// isExpired helper method wrapping the definition of expired credentials.
+func (c *Credentials) isExpired() bool {
+        return c.forceRefresh || c.provider.IsExpired()
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.json b/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.json
new file mode 100644
index 0000000..afbfad5
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.json
@@ -0,0 +1,7 @@
+{
+    "Version": 1,
+    "SessionToken": "token",
+    "AccessKeyId": "accessKey",
+    "SecretAccessKey": "secret",
+    "Expiration": "9999-04-27T16:02:25.000Z"
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.sample b/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.sample
new file mode 100644
index 0000000..e2dc1bf
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/credentials.sample
@@ -0,0 +1,15 @@
+[default]
+aws_access_key_id = accessKey
+aws_secret_access_key = secret
+aws_session_token = token
+[no_token]
+aws_access_key_id = accessKey
+aws_secret_access_key = secret
+[with_colon]
+aws_access_key_id: accessKey
+aws_secret_access_key: secret
+[with_process]
+credential_process = /bin/cat credentials.json
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/doc.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/doc.go
new file mode 100644
index 0000000..fbfb105
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/doc.go
@@ -0,0 +1,60 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Package credentials provides credential retrieval and management
+// for S3 compatible object storage.
+//
+// By default the Credentials.Get() will cache the successful result of a
+// Provider's Retrieve() until Provider.IsExpired() returns true. At which
+// point Credentials will call Provider's Retrieve() to get new credential Value.
+//
+// The Provider is responsible for determining when credentials have expired.
+// It is also important to note that Credentials will always call Retrieve the
+// first time Credentials.Get() is called.
+//
+// Example of using the environment variable credentials.
+//
+//      creds := NewFromEnv()
+//      // Retrieve the credentials value
+//      credValue, err := creds.Get()
+//      if err != nil {
+//          // handle error
+//      }
+//
+// Example of forcing credentials to expire and be refreshed on the next Get().
+// This may be helpful to proactively expire credentials and refresh them sooner
+// than they would naturally expire on their own.
+//
+//      creds := NewFromIAM("")
+//      creds.Expire()
+//      credsValue, err := creds.Get()
+//      // New credentials will be retrieved instead of from cache.
+//
+// # Custom Provider
+//
+// Each Provider built into this package also provides a helper method to generate
+// a Credentials pointer setup with the provider. To use a custom Provider just
+// create a type which satisfies the Provider interface and pass it to the
+// NewCredentials method.
+//
+//      type MyProvider struct{}
+//      func (m *MyProvider) Retrieve() (Value, error) {...}
+//      func (m *MyProvider) IsExpired() bool {...}
+//
+//      creds := NewCredentials(&MyProvider{})
+//      credValue, err := creds.Get()
+package credentials
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/env_aws.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/env_aws.go
new file mode 100644
index 0000000..b6e60d0
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/env_aws.go
@@ -0,0 +1,71 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import "os"
+// A EnvAWS retrieves credentials from the environment variables of the
+// running process. EnvAWSironment credentials never expire.
+//
+// EnvAWSironment variables used:
+//
+// * Access Key ID:     AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY.
+// * Secret Access Key: AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY.
+// * Secret Token:      AWS_SESSION_TOKEN.
+type EnvAWS struct {
+        retrieved bool
+}
+// NewEnvAWS returns a pointer to a new Credentials object
+// wrapping the environment variable provider.
+func NewEnvAWS() *Credentials {
+        return New(&EnvAWS{})
+}
+// Retrieve retrieves the keys from the environment.
+func (e *EnvAWS) Retrieve() (Value, error) {
+        e.retrieved = false
+        id := os.Getenv("AWS_ACCESS_KEY_ID")
+        if id == "" {
+                id = os.Getenv("AWS_ACCESS_KEY")
+        }
+        secret := os.Getenv("AWS_SECRET_ACCESS_KEY")
+        if secret == "" {
+                secret = os.Getenv("AWS_SECRET_KEY")
+        }
+        signerType := SignatureV4
+        if id == "" || secret == "" {
+                signerType = SignatureAnonymous
+        }
+        e.retrieved = true
+        return Value{
+                AccessKeyID:     id,
+                SecretAccessKey: secret,
+                SessionToken:    os.Getenv("AWS_SESSION_TOKEN"),
+                SignerType:      signerType,
+        }, nil
+}
+// IsExpired returns if the credentials have been retrieved.
+func (e *EnvAWS) IsExpired() bool {
+        return !e.retrieved
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/env_minio.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/env_minio.go
new file mode 100644
index 0000000..5bfeab1
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/env_minio.go
@@ -0,0 +1,68 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import "os"
+// A EnvMinio retrieves credentials from the environment variables of the
+// running process. EnvMinioironment credentials never expire.
+//
+// Environment variables used:
+//
+// * Access Key ID:     MINIO_ACCESS_KEY.
+// * Secret Access Key: MINIO_SECRET_KEY.
+// * Access Key ID:     MINIO_ROOT_USER.
+// * Secret Access Key: MINIO_ROOT_PASSWORD.
+type EnvMinio struct {
+        retrieved bool
+}
+// NewEnvMinio returns a pointer to a new Credentials object
+// wrapping the environment variable provider.
+func NewEnvMinio() *Credentials {
+        return New(&EnvMinio{})
+}
+// Retrieve retrieves the keys from the environment.
+func (e *EnvMinio) Retrieve() (Value, error) {
+        e.retrieved = false
+        id := os.Getenv("MINIO_ROOT_USER")
+        secret := os.Getenv("MINIO_ROOT_PASSWORD")
+        signerType := SignatureV4
+        if id == "" || secret == "" {
+                id = os.Getenv("MINIO_ACCESS_KEY")
+                secret = os.Getenv("MINIO_SECRET_KEY")
+                if id == "" || secret == "" {
+                        signerType = SignatureAnonymous
+                }
+        }
+        e.retrieved = true
+        return Value{
+                AccessKeyID:     id,
+                SecretAccessKey: secret,
+                SignerType:      signerType,
+        }, nil
+}
+// IsExpired returns if the credentials have been retrieved.
+func (e *EnvMinio) IsExpired() bool {
+        return !e.retrieved
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/error_response.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/error_response.go
new file mode 100644
index 0000000..07a9c2f
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/error_response.go
@@ -0,0 +1,95 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2021 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "bytes"
+        "encoding/xml"
+        "fmt"
+        "io"
+)
+// ErrorResponse - Is the typed error returned.
+// ErrorResponse struct should be comparable since it is compared inside
+// golang http API (https://github.com/golang/go/issues/29768)
+type ErrorResponse struct {
+        XMLName  xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ ErrorResponse" json:"-"`
+        STSError struct {
+                Type    string `xml:"Type"`
+                Code    string `xml:"Code"`
+                Message string `xml:"Message"`
+        } `xml:"Error"`
+        RequestID string `xml:"RequestId"`
+}
+// Error - Is the typed error returned by all API operations.
+type Error struct {
+        XMLName    xml.Name `xml:"Error" json:"-"`
+        Code       string
+        Message    string
+        BucketName string
+        Key        string
+        Resource   string
+        RequestID  string `xml:"RequestId"`
+        HostID     string `xml:"HostId"`
+        // Region where the bucket is located. This header is returned
+        // only in HEAD bucket and ListObjects response.
+        Region string
+        // Captures the server string returned in response header.
+        Server string
+        // Underlying HTTP status code for the returned error
+        StatusCode int `xml:"-" json:"-"`
+}
+// Error - Returns S3 error string.
+func (e Error) Error() string {
+        if e.Message == "" {
+                return fmt.Sprintf("Error response code %s.", e.Code)
+        }
+        return e.Message
+}
+// Error - Returns STS error string.
+func (e ErrorResponse) Error() string {
+        if e.STSError.Message == "" {
+                return fmt.Sprintf("Error response code %s.", e.STSError.Code)
+        }
+        return e.STSError.Message
+}
+// xmlDecoder provide decoded value in xml.
+func xmlDecoder(body io.Reader, v interface{}) error {
+        d := xml.NewDecoder(body)
+        return d.Decode(v)
+}
+// xmlDecodeAndBody reads the whole body up to 1MB and
+// tries to XML decode it into v.
+// The body that was read and any error from reading or decoding is returned.
+func xmlDecodeAndBody(bodyReader io.Reader, v interface{}) ([]byte, error) {
+        // read the whole body (up to 1MB)
+        const maxBodyLength = 1 << 20
+        body, err := io.ReadAll(io.LimitReader(bodyReader, maxBodyLength))
+        if err != nil {
+                return nil, err
+        }
+        return bytes.TrimSpace(body), xmlDecoder(bytes.NewReader(body), v)
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/file_aws_credentials.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/file_aws_credentials.go
new file mode 100644
index 0000000..5b07376
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/file_aws_credentials.go
@@ -0,0 +1,157 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "encoding/json"
+        "errors"
+        "os"
+        "os/exec"
+        "path/filepath"
+        "strings"
+        "time"
+        ini "gopkg.in/ini.v1"
+)
+// A externalProcessCredentials stores the output of a credential_process
+type externalProcessCredentials struct {
+        Version         int
+        SessionToken    string
+        AccessKeyID     string `json:"AccessKeyId"`
+        SecretAccessKey string
+        Expiration      time.Time
+}
+// A FileAWSCredentials retrieves credentials from the current user's home
+// directory, and keeps track if those credentials are expired.
+//
+// Profile ini file example: $HOME/.aws/credentials
+type FileAWSCredentials struct {
+        Expiry
+        // Path to the shared credentials file.
+        //
+        // If empty will look for "AWS_SHARED_CREDENTIALS_FILE" env variable. If the
+        // env value is empty will default to current user's home directory.
+        // Linux/OSX: "$HOME/.aws/credentials"
+        // Windows:   "%USERPROFILE%\.aws\credentials"
+        Filename string
+        // AWS Profile to extract credentials from the shared credentials file. If empty
+        // will default to environment variable "AWS_PROFILE" or "default" if
+        // environment variable is also not set.
+        Profile string
+        // retrieved states if the credentials have been successfully retrieved.
+        retrieved bool
+}
+// NewFileAWSCredentials returns a pointer to a new Credentials object
+// wrapping the Profile file provider.
+func NewFileAWSCredentials(filename, profile string) *Credentials {
+        return New(&FileAWSCredentials{
+                Filename: filename,
+                Profile:  profile,
+        })
+}
+// Retrieve reads and extracts the shared credentials from the current
+// users home directory.
+func (p *FileAWSCredentials) Retrieve() (Value, error) {
+        if p.Filename == "" {
+                p.Filename = os.Getenv("AWS_SHARED_CREDENTIALS_FILE")
+                if p.Filename == "" {
+                        homeDir, err := os.UserHomeDir()
+                        if err != nil {
+                                return Value{}, err
+                        }
+                        p.Filename = filepath.Join(homeDir, ".aws", "credentials")
+                }
+        }
+        if p.Profile == "" {
+                p.Profile = os.Getenv("AWS_PROFILE")
+                if p.Profile == "" {
+                        p.Profile = "default"
+                }
+        }
+        p.retrieved = false
+        iniProfile, err := loadProfile(p.Filename, p.Profile)
+        if err != nil {
+                return Value{}, err
+        }
+        // Default to empty string if not found.
+        id := iniProfile.Key("aws_access_key_id")
+        // Default to empty string if not found.
+        secret := iniProfile.Key("aws_secret_access_key")
+        // Default to empty string if not found.
+        token := iniProfile.Key("aws_session_token")
+        // If credential_process is defined, obtain credentials by executing
+        // the external process
+        credentialProcess := strings.TrimSpace(iniProfile.Key("credential_process").String())
+        if credentialProcess != "" {
+                args := strings.Fields(credentialProcess)
+                if len(args) <= 1 {
+                        return Value{}, errors.New("invalid credential process args")
+                }
+                cmd := exec.Command(args[0], args[1:]...)
+                out, err := cmd.Output()
+                if err != nil {
+                        return Value{}, err
+                }
+                var externalProcessCredentials externalProcessCredentials
+                err = json.Unmarshal([]byte(out), &externalProcessCredentials)
+                if err != nil {
+                        return Value{}, err
+                }
+                p.retrieved = true
+                p.SetExpiration(externalProcessCredentials.Expiration, DefaultExpiryWindow)
+                return Value{
+                        AccessKeyID:     externalProcessCredentials.AccessKeyID,
+                        SecretAccessKey: externalProcessCredentials.SecretAccessKey,
+                        SessionToken:    externalProcessCredentials.SessionToken,
+                        SignerType:      SignatureV4,
+                }, nil
+        }
+        p.retrieved = true
+        return Value{
+                AccessKeyID:     id.String(),
+                SecretAccessKey: secret.String(),
+                SessionToken:    token.String(),
+                SignerType:      SignatureV4,
+        }, nil
+}
+// loadProfiles loads from the file pointed to by shared credentials filename for profile.
+// The credentials retrieved from the profile will be returned or error. Error will be
+// returned if it fails to read from the file, or the data is invalid.
+func loadProfile(filename, profile string) (*ini.Section, error) {
+        config, err := ini.Load(filename)
+        if err != nil {
+                return nil, err
+        }
+        iniProfile, err := config.GetSection(profile)
+        if err != nil {
+                return nil, err
+        }
+        return iniProfile, nil
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/file_minio_client.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/file_minio_client.go
new file mode 100644
index 0000000..eb77767
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/file_minio_client.go
@@ -0,0 +1,139 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "os"
+        "path/filepath"
+        "runtime"
+        jsoniter "github.com/json-iterator/go"
+)
+// A FileMinioClient retrieves credentials from the current user's home
+// directory, and keeps track if those credentials are expired.
+//
+// Configuration file example: $HOME/.mc/config.json
+type FileMinioClient struct {
+        // Path to the shared credentials file.
+        //
+        // If empty will look for "MINIO_SHARED_CREDENTIALS_FILE" env variable. If the
+        // env value is empty will default to current user's home directory.
+        // Linux/OSX: "$HOME/.mc/config.json"
+        // Windows:   "%USERALIAS%\mc\config.json"
+        Filename string
+        // MinIO Alias to extract credentials from the shared credentials file. If empty
+        // will default to environment variable "MINIO_ALIAS" or "default" if
+        // environment variable is also not set.
+        Alias string
+        // retrieved states if the credentials have been successfully retrieved.
+        retrieved bool
+}
+// NewFileMinioClient returns a pointer to a new Credentials object
+// wrapping the Alias file provider.
+func NewFileMinioClient(filename, alias string) *Credentials {
+        return New(&FileMinioClient{
+                Filename: filename,
+                Alias:    alias,
+        })
+}
+// Retrieve reads and extracts the shared credentials from the current
+// users home directory.
+func (p *FileMinioClient) Retrieve() (Value, error) {
+        if p.Filename == "" {
+                if value, ok := os.LookupEnv("MINIO_SHARED_CREDENTIALS_FILE"); ok {
+                        p.Filename = value
+                } else {
+                        homeDir, err := os.UserHomeDir()
+                        if err != nil {
+                                return Value{}, err
+                        }
+                        p.Filename = filepath.Join(homeDir, ".mc", "config.json")
+                        if runtime.GOOS == "windows" {
+                                p.Filename = filepath.Join(homeDir, "mc", "config.json")
+                        }
+                }
+        }
+        if p.Alias == "" {
+                p.Alias = os.Getenv("MINIO_ALIAS")
+                if p.Alias == "" {
+                        p.Alias = "s3"
+                }
+        }
+        p.retrieved = false
+        hostCfg, err := loadAlias(p.Filename, p.Alias)
+        if err != nil {
+                return Value{}, err
+        }
+        p.retrieved = true
+        return Value{
+                AccessKeyID:     hostCfg.AccessKey,
+                SecretAccessKey: hostCfg.SecretKey,
+                SignerType:      parseSignatureType(hostCfg.API),
+        }, nil
+}
+// IsExpired returns if the shared credentials have expired.
+func (p *FileMinioClient) IsExpired() bool {
+        return !p.retrieved
+}
+// hostConfig configuration of a host.
+type hostConfig struct {
+        URL       string `json:"url"`
+        AccessKey string `json:"accessKey"`
+        SecretKey string `json:"secretKey"`
+        API       string `json:"api"`
+}
+// config config version.
+type config struct {
+        Version string                `json:"version"`
+        Hosts   map[string]hostConfig `json:"hosts"`
+        Aliases map[string]hostConfig `json:"aliases"`
+}
+// loadAliass loads from the file pointed to by shared credentials filename for alias.
+// The credentials retrieved from the alias will be returned or error. Error will be
+// returned if it fails to read from the file.
+func loadAlias(filename, alias string) (hostConfig, error) {
+        cfg := &config{}
+        json := jsoniter.ConfigCompatibleWithStandardLibrary
+        configBytes, err := os.ReadFile(filename)
+        if err != nil {
+                return hostConfig{}, err
+        }
+        if err = json.Unmarshal(configBytes, cfg); err != nil {
+                return hostConfig{}, err
+        }
+        if cfg.Version == "10" {
+                return cfg.Aliases[alias], nil
+        }
+        return cfg.Hosts[alias], nil
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go
new file mode 100644
index 0000000..c5153c4
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go
@@ -0,0 +1,433 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "bufio"
+        "context"
+        "errors"
+        "fmt"
+        "io"
+        "net"
+        "net/http"
+        "net/url"
+        "os"
+        "path"
+        "strings"
+        "time"
+        jsoniter "github.com/json-iterator/go"
+)
+// DefaultExpiryWindow - Default expiry window.
+// ExpiryWindow will allow the credentials to trigger refreshing
+// prior to the credentials actually expiring. This is beneficial
+// so race conditions with expiring credentials do not cause
+// request to fail unexpectedly due to ExpiredTokenException exceptions.
+// DefaultExpiryWindow can be used as parameter to (*Expiry).SetExpiration.
+// When used the tokens refresh will be triggered when 80% of the elapsed
+// time until the actual expiration time is passed.
+const DefaultExpiryWindow = -1
+// A IAM retrieves credentials from the EC2 service, and keeps track if
+// those credentials are expired.
+type IAM struct {
+        Expiry
+        // Required http Client to use when connecting to IAM metadata service.
+        Client *http.Client
+        // Custom endpoint to fetch IAM role credentials.
+        Endpoint string
+        // Region configurable custom region for STS
+        Region string
+        // Support for container authorization token https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
+        Container struct {
+                AuthorizationToken     string
+                CredentialsFullURI     string
+                CredentialsRelativeURI string
+        }
+        // EKS based k8s RBAC authorization - https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html
+        EKSIdentity struct {
+                TokenFile       string
+                RoleARN         string
+                RoleSessionName string
+        }
+}
+// IAM Roles for Amazon EC2
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+const (
+        DefaultIAMRoleEndpoint      = "http://169.254.169.254"
+        DefaultECSRoleEndpoint      = "http://169.254.170.2"
+        DefaultSTSRoleEndpoint      = "https://sts.amazonaws.com"
+        DefaultIAMSecurityCredsPath = "/latest/meta-data/iam/security-credentials/"
+        TokenRequestTTLHeader       = "X-aws-ec2-metadata-token-ttl-seconds"
+        TokenPath                   = "/latest/api/token"
+        TokenTTL                    = "21600"
+        TokenRequestHeader          = "X-aws-ec2-metadata-token"
+)
+// NewIAM returns a pointer to a new Credentials object wrapping the IAM.
+func NewIAM(endpoint string) *Credentials {
+        return New(&IAM{
+                Client: &http.Client{
+                        Transport: http.DefaultTransport,
+                },
+                Endpoint: endpoint,
+        })
+}
+// Retrieve retrieves credentials from the EC2 service.
+// Error will be returned if the request fails, or unable to extract
+// the desired
+func (m *IAM) Retrieve() (Value, error) {
+        token := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN")
+        if token == "" {
+                token = m.Container.AuthorizationToken
+        }
+        relativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
+        if relativeURI == "" {
+                relativeURI = m.Container.CredentialsRelativeURI
+        }
+        fullURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI")
+        if fullURI == "" {
+                fullURI = m.Container.CredentialsFullURI
+        }
+        identityFile := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
+        if identityFile == "" {
+                identityFile = m.EKSIdentity.TokenFile
+        }
+        roleArn := os.Getenv("AWS_ROLE_ARN")
+        if roleArn == "" {
+                roleArn = m.EKSIdentity.RoleARN
+        }
+        roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME")
+        if roleSessionName == "" {
+                roleSessionName = m.EKSIdentity.RoleSessionName
+        }
+        region := os.Getenv("AWS_REGION")
+        if region == "" {
+                region = m.Region
+        }
+        var roleCreds ec2RoleCredRespBody
+        var err error
+        endpoint := m.Endpoint
+        switch {
+        case identityFile != "":
+                if len(endpoint) == 0 {
+                        if region != "" {
+                                if strings.HasPrefix(region, "cn-") {
+                                        endpoint = "https://sts." + region + ".amazonaws.com.cn"
+                                } else {
+                                        endpoint = "https://sts." + region + ".amazonaws.com"
+                                }
+                        } else {
+                                endpoint = DefaultSTSRoleEndpoint
+                        }
+                }
+                creds := &STSWebIdentity{
+                        Client:      m.Client,
+                        STSEndpoint: endpoint,
+                        GetWebIDTokenExpiry: func() (*WebIdentityToken, error) {
+                                token, err := os.ReadFile(identityFile)
+                                if err != nil {
+                                        return nil, err
+                                }
+                                return &WebIdentityToken{Token: string(token)}, nil
+                        },
+                        RoleARN:         roleArn,
+                        roleSessionName: roleSessionName,
+                }
+                stsWebIdentityCreds, err := creds.Retrieve()
+                if err == nil {
+                        m.SetExpiration(creds.Expiration(), DefaultExpiryWindow)
+                }
+                return stsWebIdentityCreds, err
+        case relativeURI != "":
+                if len(endpoint) == 0 {
+                        endpoint = fmt.Sprintf("%s%s", DefaultECSRoleEndpoint, relativeURI)
+                }
+                roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
+        case fullURI != "":
+                if len(endpoint) == 0 {
+                        endpoint = fullURI
+                        var ok bool
+                        if ok, err = isLoopback(endpoint); !ok {
+                                if err == nil {
+                                        err = fmt.Errorf("uri host is not a loopback address: %s", endpoint)
+                                }
+                                break
+                        }
+                }
+                roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
+        default:
+                roleCreds, err = getCredentials(m.Client, endpoint)
+        }
+        if err != nil {
+                return Value{}, err
+        }
+        // Expiry window is set to 10secs.
+        m.SetExpiration(roleCreds.Expiration, DefaultExpiryWindow)
+        return Value{
+                AccessKeyID:     roleCreds.AccessKeyID,
+                SecretAccessKey: roleCreds.SecretAccessKey,
+                SessionToken:    roleCreds.Token,
+                SignerType:      SignatureV4,
+        }, nil
+}
+// A ec2RoleCredRespBody provides the shape for unmarshaling credential
+// request responses.
+type ec2RoleCredRespBody struct {
+        // Success State
+        Expiration      time.Time
+        AccessKeyID     string
+        SecretAccessKey string
+        Token           string
+        // Error state
+        Code    string
+        Message string
+        // Unused params.
+        LastUpdated time.Time
+        Type        string
+}
+// Get the final IAM role URL where the request will
+// be sent to fetch the rolling access credentials.
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+func getIAMRoleURL(endpoint string) (*url.URL, error) {
+        u, err := url.Parse(endpoint)
+        if err != nil {
+                return nil, err
+        }
+        u.Path = DefaultIAMSecurityCredsPath
+        return u, nil
+}
+// listRoleNames lists of credential role names associated
+// with the current EC2 service. If there are no credentials,
+// or there is an error making or receiving the request.
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+func listRoleNames(client *http.Client, u *url.URL, token string) ([]string, error) {
+        req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+        if err != nil {
+                return nil, err
+        }
+        if token != "" {
+                req.Header.Add(TokenRequestHeader, token)
+        }
+        resp, err := client.Do(req)
+        if err != nil {
+                return nil, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                return nil, errors.New(resp.Status)
+        }
+        credsList := []string{}
+        s := bufio.NewScanner(resp.Body)
+        for s.Scan() {
+                credsList = append(credsList, s.Text())
+        }
+        if err := s.Err(); err != nil {
+                return nil, err
+        }
+        return credsList, nil
+}
+func getEcsTaskCredentials(client *http.Client, endpoint, token string) (ec2RoleCredRespBody, error) {
+        req, err := http.NewRequest(http.MethodGet, endpoint, nil)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        if token != "" {
+                req.Header.Set("Authorization", token)
+        }
+        resp, err := client.Do(req)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                return ec2RoleCredRespBody{}, errors.New(resp.Status)
+        }
+        respCreds := ec2RoleCredRespBody{}
+        if err := jsoniter.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        return respCreds, nil
+}
+func fetchIMDSToken(client *http.Client, endpoint string) (string, error) {
+        ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+        defer cancel()
+        req, err := http.NewRequestWithContext(ctx, http.MethodPut, endpoint+TokenPath, nil)
+        if err != nil {
+                return "", err
+        }
+        req.Header.Add(TokenRequestTTLHeader, TokenTTL)
+        resp, err := client.Do(req)
+        if err != nil {
+                return "", err
+        }
+        defer resp.Body.Close()
+        data, err := io.ReadAll(resp.Body)
+        if err != nil {
+                return "", err
+        }
+        if resp.StatusCode != http.StatusOK {
+                return "", errors.New(resp.Status)
+        }
+        return string(data), nil
+}
+// getCredentials - obtains the credentials from the IAM role name associated with
+// the current EC2 service.
+//
+// If the credentials cannot be found, or there is an error
+// reading the response an error will be returned.
+func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) {
+        if endpoint == "" {
+                endpoint = DefaultIAMRoleEndpoint
+        }
+        // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
+        token, err := fetchIMDSToken(client, endpoint)
+        if err != nil {
+                // Return only errors for valid situations, if the IMDSv2 is not enabled
+                // we will not be able to get the token, in such a situation we have
+                // to rely on IMDSv1 behavior as a fallback, this check ensures that.
+                // Refer https://github.com/minio/minio-go/issues/1866
+                if !errors.Is(err, context.DeadlineExceeded) && !errors.Is(err, context.Canceled) {
+                        return ec2RoleCredRespBody{}, err
+                }
+        }
+        // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+        u, err := getIAMRoleURL(endpoint)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+        roleNames, err := listRoleNames(client, u, token)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        if len(roleNames) == 0 {
+                return ec2RoleCredRespBody{}, errors.New("No IAM roles attached to this EC2 service")
+        }
+        // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+        // - An instance profile can contain only one IAM role. This limit cannot be increased.
+        roleName := roleNames[0]
+        // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+        // The following command retrieves the security credentials for an
+        // IAM role named `s3access`.
+        //
+        //    $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
+        //
+        u.Path = path.Join(u.Path, roleName)
+        req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        if token != "" {
+                req.Header.Add(TokenRequestHeader, token)
+        }
+        resp, err := client.Do(req)
+        if err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                return ec2RoleCredRespBody{}, errors.New(resp.Status)
+        }
+        respCreds := ec2RoleCredRespBody{}
+        if err := jsoniter.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
+                return ec2RoleCredRespBody{}, err
+        }
+        if respCreds.Code != "Success" {
+                // If an error code was returned something failed requesting the role.
+                return ec2RoleCredRespBody{}, errors.New(respCreds.Message)
+        }
+        return respCreds, nil
+}
+// isLoopback identifies if a uri's host is on a loopback address
+func isLoopback(uri string) (bool, error) {
+        u, err := url.Parse(uri)
+        if err != nil {
+                return false, err
+        }
+        host := u.Hostname()
+        if len(host) == 0 {
+                return false, fmt.Errorf("can't parse host from uri: %s", uri)
+        }
+        ips, err := net.LookupHost(host)
+        if err != nil {
+                return false, err
+        }
+        for _, ip := range ips {
+                if !net.ParseIP(ip).IsLoopback() {
+                        return false, nil
+                }
+        }
+        return true, nil
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/signature_type.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/signature_type.go
new file mode 100644
index 0000000..b794333
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/signature_type.go
@@ -0,0 +1,77 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import "strings"
+// SignatureType is type of Authorization requested for a given HTTP request.
+type SignatureType int
+// Different types of supported signatures - default is SignatureV4 or SignatureDefault.
+const (
+        // SignatureDefault is always set to v4.
+        SignatureDefault SignatureType = iota
+        SignatureV4
+        SignatureV2
+        SignatureV4Streaming
+        SignatureAnonymous // Anonymous signature signifies, no signature.
+)
+// IsV2 - is signature SignatureV2?
+func (s SignatureType) IsV2() bool {
+        return s == SignatureV2
+}
+// IsV4 - is signature SignatureV4?
+func (s SignatureType) IsV4() bool {
+        return s == SignatureV4 || s == SignatureDefault
+}
+// IsStreamingV4 - is signature SignatureV4Streaming?
+func (s SignatureType) IsStreamingV4() bool {
+        return s == SignatureV4Streaming
+}
+// IsAnonymous - is signature empty?
+func (s SignatureType) IsAnonymous() bool {
+        return s == SignatureAnonymous
+}
+// Stringer humanized version of signature type,
+// strings returned here are case insensitive.
+func (s SignatureType) String() string {
+        if s.IsV2() {
+                return "S3v2"
+        } else if s.IsV4() {
+                return "S3v4"
+        } else if s.IsStreamingV4() {
+                return "S3v4Streaming"
+        }
+        return "Anonymous"
+}
+func parseSignatureType(str string) SignatureType {
+        if strings.EqualFold(str, "S3v4") {
+                return SignatureV4
+        } else if strings.EqualFold(str, "S3v2") {
+                return SignatureV2
+        } else if strings.EqualFold(str, "S3v4Streaming") {
+                return SignatureV4Streaming
+        }
+        return SignatureAnonymous
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/static.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/static.go
new file mode 100644
index 0000000..7dde00b
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/static.go
@@ -0,0 +1,67 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2017 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+// A Static is a set of credentials which are set programmatically,
+// and will never expire.
+type Static struct {
+        Value
+}
+// NewStaticV2 returns a pointer to a new Credentials object
+// wrapping a static credentials value provider, signature is
+// set to v2. If access and secret are not specified then
+// regardless of signature type set it Value will return
+// as anonymous.
+func NewStaticV2(id, secret, token string) *Credentials {
+        return NewStatic(id, secret, token, SignatureV2)
+}
+// NewStaticV4 is similar to NewStaticV2 with similar considerations.
+func NewStaticV4(id, secret, token string) *Credentials {
+        return NewStatic(id, secret, token, SignatureV4)
+}
+// NewStatic returns a pointer to a new Credentials object
+// wrapping a static credentials value provider.
+func NewStatic(id, secret, token string, signerType SignatureType) *Credentials {
+        return New(&Static{
+                Value: Value{
+                        AccessKeyID:     id,
+                        SecretAccessKey: secret,
+                        SessionToken:    token,
+                        SignerType:      signerType,
+                },
+        })
+}
+// Retrieve returns the static credentials.
+func (s *Static) Retrieve() (Value, error) {
+        if s.AccessKeyID == "" || s.SecretAccessKey == "" {
+                // Anonymous is not an error
+                return Value{SignerType: SignatureAnonymous}, nil
+        }
+        return s.Value, nil
+}
+// IsExpired returns if the credentials are expired.
+//
+// For Static, the credentials never expired.
+func (s *Static) IsExpired() bool {
+        return false
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_client_grants.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_client_grants.go
new file mode 100644
index 0000000..9e92c1e
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_client_grants.go
@@ -0,0 +1,182 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2019-2022 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "bytes"
+        "encoding/xml"
+        "errors"
+        "fmt"
+        "io"
+        "net/http"
+        "net/url"
+        "strings"
+        "time"
+)
+// AssumedRoleUser - The identifiers for the temporary security credentials that
+// the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
+type AssumedRoleUser struct {
+        Arn           string
+        AssumedRoleID string `xml:"AssumeRoleId"`
+}
+// AssumeRoleWithClientGrantsResponse contains the result of successful AssumeRoleWithClientGrants request.
+type AssumeRoleWithClientGrantsResponse struct {
+        XMLName          xml.Name           `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithClientGrantsResponse" json:"-"`
+        Result           ClientGrantsResult `xml:"AssumeRoleWithClientGrantsResult"`
+        ResponseMetadata struct {
+                RequestID string `xml:"RequestId,omitempty"`
+        } `xml:"ResponseMetadata,omitempty"`
+}
+// ClientGrantsResult - Contains the response to a successful AssumeRoleWithClientGrants
+// request, including temporary credentials that can be used to make MinIO API requests.
+type ClientGrantsResult struct {
+        AssumedRoleUser AssumedRoleUser `xml:",omitempty"`
+        Audience        string          `xml:",omitempty"`
+        Credentials     struct {
+                AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`
+                SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`
+                Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
+                SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
+        } `xml:",omitempty"`
+        PackedPolicySize             int    `xml:",omitempty"`
+        Provider                     string `xml:",omitempty"`
+        SubjectFromClientGrantsToken string `xml:",omitempty"`
+}
+// ClientGrantsToken - client grants token with expiry.
+type ClientGrantsToken struct {
+        Token  string
+        Expiry int
+}
+// A STSClientGrants retrieves credentials from MinIO service, and keeps track if
+// those credentials are expired.
+type STSClientGrants struct {
+        Expiry
+        // Required http Client to use when connecting to MinIO STS service.
+        Client *http.Client
+        // MinIO endpoint to fetch STS credentials.
+        STSEndpoint string
+        // getClientGrantsTokenExpiry function to retrieve tokens
+        // from IDP This function should return two values one is
+        // accessToken which is a self contained access token (JWT)
+        // and second return value is the expiry associated with
+        // this token. This is a customer provided function and
+        // is mandatory.
+        GetClientGrantsTokenExpiry func() (*ClientGrantsToken, error)
+}
+// NewSTSClientGrants returns a pointer to a new
+// Credentials object wrapping the STSClientGrants.
+func NewSTSClientGrants(stsEndpoint string, getClientGrantsTokenExpiry func() (*ClientGrantsToken, error)) (*Credentials, error) {
+        if stsEndpoint == "" {
+                return nil, errors.New("STS endpoint cannot be empty")
+        }
+        if getClientGrantsTokenExpiry == nil {
+                return nil, errors.New("Client grants access token and expiry retrieval function should be defined")
+        }
+        return New(&STSClientGrants{
+                Client: &http.Client{
+                        Transport: http.DefaultTransport,
+                },
+                STSEndpoint:                stsEndpoint,
+                GetClientGrantsTokenExpiry: getClientGrantsTokenExpiry,
+        }), nil
+}
+func getClientGrantsCredentials(clnt *http.Client, endpoint string,
+        getClientGrantsTokenExpiry func() (*ClientGrantsToken, error),
+) (AssumeRoleWithClientGrantsResponse, error) {
+        accessToken, err := getClientGrantsTokenExpiry()
+        if err != nil {
+                return AssumeRoleWithClientGrantsResponse{}, err
+        }
+        v := url.Values{}
+        v.Set("Action", "AssumeRoleWithClientGrants")
+        v.Set("Token", accessToken.Token)
+        v.Set("DurationSeconds", fmt.Sprintf("%d", accessToken.Expiry))
+        v.Set("Version", STSVersion)
+        u, err := url.Parse(endpoint)
+        if err != nil {
+                return AssumeRoleWithClientGrantsResponse{}, err
+        }
+        req, err := http.NewRequest(http.MethodPost, u.String(), strings.NewReader(v.Encode()))
+        if err != nil {
+                return AssumeRoleWithClientGrantsResponse{}, err
+        }
+        req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+        resp, err := clnt.Do(req)
+        if err != nil {
+                return AssumeRoleWithClientGrantsResponse{}, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                var errResp ErrorResponse
+                buf, err := io.ReadAll(resp.Body)
+                if err != nil {
+                        return AssumeRoleWithClientGrantsResponse{}, err
+                }
+                _, err = xmlDecodeAndBody(bytes.NewReader(buf), &errResp)
+                if err != nil {
+                        var s3Err Error
+                        if _, err = xmlDecodeAndBody(bytes.NewReader(buf), &s3Err); err != nil {
+                                return AssumeRoleWithClientGrantsResponse{}, err
+                        }
+                        errResp.RequestID = s3Err.RequestID
+                        errResp.STSError.Code = s3Err.Code
+                        errResp.STSError.Message = s3Err.Message
+                }
+                return AssumeRoleWithClientGrantsResponse{}, errResp
+        }
+        a := AssumeRoleWithClientGrantsResponse{}
+        if err = xml.NewDecoder(resp.Body).Decode(&a); err != nil {
+                return AssumeRoleWithClientGrantsResponse{}, err
+        }
+        return a, nil
+}
+// Retrieve retrieves credentials from the MinIO service.
+// Error will be returned if the request fails.
+func (m *STSClientGrants) Retrieve() (Value, error) {
+        a, err := getClientGrantsCredentials(m.Client, m.STSEndpoint, m.GetClientGrantsTokenExpiry)
+        if err != nil {
+                return Value{}, err
+        }
+        // Expiry window is set to 10secs.
+        m.SetExpiration(a.Result.Credentials.Expiration, DefaultExpiryWindow)
+        return Value{
+                AccessKeyID:     a.Result.Credentials.AccessKey,
+                SecretAccessKey: a.Result.Credentials.SecretKey,
+                SessionToken:    a.Result.Credentials.SessionToken,
+                SignerType:      SignatureV4,
+        }, nil
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_custom_identity.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_custom_identity.go
new file mode 100644
index 0000000..e1f9ce4
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_custom_identity.go
@@ -0,0 +1,146 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2015-2022 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "encoding/xml"
+        "errors"
+        "fmt"
+        "net/http"
+        "net/url"
+        "time"
+)
+// CustomTokenResult - Contains temporary creds and user metadata.
+type CustomTokenResult struct {
+        Credentials struct {
+                AccessKey    string    `xml:"AccessKeyId"`
+                SecretKey    string    `xml:"SecretAccessKey"`
+                Expiration   time.Time `xml:"Expiration"`
+                SessionToken string    `xml:"SessionToken"`
+        } `xml:",omitempty"`
+        AssumedUser string `xml:",omitempty"`
+}
+// AssumeRoleWithCustomTokenResponse contains the result of a successful
+// AssumeRoleWithCustomToken request.
+type AssumeRoleWithCustomTokenResponse struct {
+        XMLName  xml.Name          `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithCustomTokenResponse" json:"-"`
+        Result   CustomTokenResult `xml:"AssumeRoleWithCustomTokenResult"`
+        Metadata struct {
+                RequestID string `xml:"RequestId,omitempty"`
+        } `xml:"ResponseMetadata,omitempty"`
+}
+// CustomTokenIdentity - satisfies the Provider interface, and retrieves
+// credentials from MinIO using the AssumeRoleWithCustomToken STS API.
+type CustomTokenIdentity struct {
+        Expiry
+        Client *http.Client
+        // MinIO server STS endpoint to fetch STS credentials.
+        STSEndpoint string
+        // The custom token to use with the request.
+        Token string
+        // RoleArn associated with the identity
+        RoleArn string
+        // RequestedExpiry is to set the validity of the generated credentials
+        // (this value bounded by server).
+        RequestedExpiry time.Duration
+}
+// Retrieve - to satisfy Provider interface; fetches credentials from MinIO.
+func (c *CustomTokenIdentity) Retrieve() (value Value, err error) {
+        u, err := url.Parse(c.STSEndpoint)
+        if err != nil {
+                return value, err
+        }
+        v := url.Values{}
+        v.Set("Action", "AssumeRoleWithCustomToken")
+        v.Set("Version", STSVersion)
+        v.Set("RoleArn", c.RoleArn)
+        v.Set("Token", c.Token)
+        if c.RequestedExpiry != 0 {
+                v.Set("DurationSeconds", fmt.Sprintf("%d", int(c.RequestedExpiry.Seconds())))
+        }
+        u.RawQuery = v.Encode()
+        req, err := http.NewRequest(http.MethodPost, u.String(), nil)
+        if err != nil {
+                return value, err
+        }
+        resp, err := c.Client.Do(req)
+        if err != nil {
+                return value, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                return value, errors.New(resp.Status)
+        }
+        r := AssumeRoleWithCustomTokenResponse{}
+        if err = xml.NewDecoder(resp.Body).Decode(&r); err != nil {
+                return
+        }
+        cr := r.Result.Credentials
+        c.SetExpiration(cr.Expiration, DefaultExpiryWindow)
+        return Value{
+                AccessKeyID:     cr.AccessKey,
+                SecretAccessKey: cr.SecretKey,
+                SessionToken:    cr.SessionToken,
+                SignerType:      SignatureV4,
+        }, nil
+}
+// NewCustomTokenCredentials - returns credentials using the
+// AssumeRoleWithCustomToken STS API.
+func NewCustomTokenCredentials(stsEndpoint, token, roleArn string, optFuncs ...CustomTokenOpt) (*Credentials, error) {
+        c := CustomTokenIdentity{
+                Client:      &http.Client{Transport: http.DefaultTransport},
+                STSEndpoint: stsEndpoint,
+                Token:       token,
+                RoleArn:     roleArn,
+        }
+        for _, optFunc := range optFuncs {
+                optFunc(&c)
+        }
+        return New(&c), nil
+}
+// CustomTokenOpt is a function type to configure the custom-token based
+// credentials using NewCustomTokenCredentials.
+type CustomTokenOpt func(*CustomTokenIdentity)
+// CustomTokenValidityOpt sets the validity duration of the requested
+// credentials. This value is ignored if the server enforces a lower validity
+// period.
+func CustomTokenValidityOpt(d time.Duration) CustomTokenOpt {
+        return func(c *CustomTokenIdentity) {
+                c.RequestedExpiry = d
+        }
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_ldap_identity.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_ldap_identity.go
new file mode 100644
index 0000000..ec5f3f0
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_ldap_identity.go
@@ -0,0 +1,189 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2019-2022 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "bytes"
+        "encoding/xml"
+        "fmt"
+        "io"
+        "net/http"
+        "net/url"
+        "strings"
+        "time"
+)
+// AssumeRoleWithLDAPResponse contains the result of successful
+// AssumeRoleWithLDAPIdentity request
+type AssumeRoleWithLDAPResponse struct {
+        XMLName          xml.Name           `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithLDAPIdentityResponse" json:"-"`
+        Result           LDAPIdentityResult `xml:"AssumeRoleWithLDAPIdentityResult"`
+        ResponseMetadata struct {
+                RequestID string `xml:"RequestId,omitempty"`
+        } `xml:"ResponseMetadata,omitempty"`
+}
+// LDAPIdentityResult - contains credentials for a successful
+// AssumeRoleWithLDAPIdentity request.
+type LDAPIdentityResult struct {
+        Credentials struct {
+                AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`
+                SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`
+                Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
+                SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
+        } `xml:",omitempty"`
+        SubjectFromToken string `xml:",omitempty"`
+}
+// LDAPIdentity retrieves credentials from MinIO
+type LDAPIdentity struct {
+        Expiry
+        // Required http Client to use when connecting to MinIO STS service.
+        Client *http.Client
+        // Exported STS endpoint to fetch STS credentials.
+        STSEndpoint string
+        // LDAP username/password used to fetch LDAP STS credentials.
+        LDAPUsername, LDAPPassword string
+        // Session policy to apply to the generated credentials. Leave empty to
+        // use the full access policy available to the user.
+        Policy string
+        // RequestedExpiry is the configured expiry duration for credentials
+        // requested from LDAP.
+        RequestedExpiry time.Duration
+}
+// NewLDAPIdentity returns new credentials object that uses LDAP
+// Identity.
+func NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword string, optFuncs ...LDAPIdentityOpt) (*Credentials, error) {
+        l := LDAPIdentity{
+                Client:       &http.Client{Transport: http.DefaultTransport},
+                STSEndpoint:  stsEndpoint,
+                LDAPUsername: ldapUsername,
+                LDAPPassword: ldapPassword,
+        }
+        for _, optFunc := range optFuncs {
+                optFunc(&l)
+        }
+        return New(&l), nil
+}
+// LDAPIdentityOpt is a function type used to configured the LDAPIdentity
+// instance.
+type LDAPIdentityOpt func(*LDAPIdentity)
+// LDAPIdentityPolicyOpt sets the session policy for requested credentials.
+func LDAPIdentityPolicyOpt(policy string) LDAPIdentityOpt {
+        return func(k *LDAPIdentity) {
+                k.Policy = policy
+        }
+}
+// LDAPIdentityExpiryOpt sets the expiry duration for requested credentials.
+func LDAPIdentityExpiryOpt(d time.Duration) LDAPIdentityOpt {
+        return func(k *LDAPIdentity) {
+                k.RequestedExpiry = d
+        }
+}
+// NewLDAPIdentityWithSessionPolicy returns new credentials object that uses
+// LDAP Identity with a specified session policy. The `policy` parameter must be
+// a JSON string specifying the policy document.
+//
+// Deprecated: Use the `LDAPIdentityPolicyOpt` with `NewLDAPIdentity` instead.
+func NewLDAPIdentityWithSessionPolicy(stsEndpoint, ldapUsername, ldapPassword, policy string) (*Credentials, error) {
+        return New(&LDAPIdentity{
+                Client:       &http.Client{Transport: http.DefaultTransport},
+                STSEndpoint:  stsEndpoint,
+                LDAPUsername: ldapUsername,
+                LDAPPassword: ldapPassword,
+                Policy:       policy,
+        }), nil
+}
+// Retrieve gets the credential by calling the MinIO STS API for
+// LDAP on the configured stsEndpoint.
+func (k *LDAPIdentity) Retrieve() (value Value, err error) {
+        u, err := url.Parse(k.STSEndpoint)
+        if err != nil {
+                return value, err
+        }
+        v := url.Values{}
+        v.Set("Action", "AssumeRoleWithLDAPIdentity")
+        v.Set("Version", STSVersion)
+        v.Set("LDAPUsername", k.LDAPUsername)
+        v.Set("LDAPPassword", k.LDAPPassword)
+        if k.Policy != "" {
+                v.Set("Policy", k.Policy)
+        }
+        if k.RequestedExpiry != 0 {
+                v.Set("DurationSeconds", fmt.Sprintf("%d", int(k.RequestedExpiry.Seconds())))
+        }
+        req, err := http.NewRequest(http.MethodPost, u.String(), strings.NewReader(v.Encode()))
+        if err != nil {
+                return value, err
+        }
+        req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+        resp, err := k.Client.Do(req)
+        if err != nil {
+                return value, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                var errResp ErrorResponse
+                buf, err := io.ReadAll(resp.Body)
+                if err != nil {
+                        return value, err
+                }
+                _, err = xmlDecodeAndBody(bytes.NewReader(buf), &errResp)
+                if err != nil {
+                        var s3Err Error
+                        if _, err = xmlDecodeAndBody(bytes.NewReader(buf), &s3Err); err != nil {
+                                return value, err
+                        }
+                        errResp.RequestID = s3Err.RequestID
+                        errResp.STSError.Code = s3Err.Code
+                        errResp.STSError.Message = s3Err.Message
+                }
+                return value, errResp
+        }
+        r := AssumeRoleWithLDAPResponse{}
+        if err = xml.NewDecoder(resp.Body).Decode(&r); err != nil {
+                return
+        }
+        cr := r.Result.Credentials
+        k.SetExpiration(cr.Expiration, DefaultExpiryWindow)
+        return Value{
+                AccessKeyID:     cr.AccessKey,
+                SecretAccessKey: cr.SecretKey,
+                SessionToken:    cr.SessionToken,
+                SignerType:      SignatureV4,
+        }, nil
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_tls_identity.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_tls_identity.go
new file mode 100644
index 0000000..dee0a8c
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_tls_identity.go
@@ -0,0 +1,211 @@
+// MinIO Go Library for Amazon S3 Compatible Cloud Storage
+// Copyright 2021 MinIO, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package credentials
+import (
+        "bytes"
+        "crypto/tls"
+        "encoding/xml"
+        "errors"
+        "io"
+        "net"
+        "net/http"
+        "net/url"
+        "strconv"
+        "time"
+)
+// CertificateIdentityOption is an optional AssumeRoleWithCertificate
+// parameter - e.g. a custom HTTP transport configuration or S3 credental
+// livetime.
+type CertificateIdentityOption func(*STSCertificateIdentity)
+// CertificateIdentityWithTransport returns a CertificateIdentityOption that
+// customizes the STSCertificateIdentity with the given http.RoundTripper.
+func CertificateIdentityWithTransport(t http.RoundTripper) CertificateIdentityOption {
+        return CertificateIdentityOption(func(i *STSCertificateIdentity) { i.Client.Transport = t })
+}
+// CertificateIdentityWithExpiry returns a CertificateIdentityOption that
+// customizes the STSCertificateIdentity with the given livetime.
+//
+// Fetched S3 credentials will have the given livetime if the STS server
+// allows such credentials.
+func CertificateIdentityWithExpiry(livetime time.Duration) CertificateIdentityOption {
+        return CertificateIdentityOption(func(i *STSCertificateIdentity) { i.S3CredentialLivetime = livetime })
+}
+// A STSCertificateIdentity retrieves S3 credentials from the MinIO STS API and
+// rotates those credentials once they expire.
+type STSCertificateIdentity struct {
+        Expiry
+        // STSEndpoint is the base URL endpoint of the STS API.
+        // For example, https://minio.local:9000
+        STSEndpoint string
+        // S3CredentialLivetime is the duration temp. S3 access
+        // credentials should be valid.
+        //
+        // It represents the access credential livetime requested
+        // by the client. The STS server may choose to issue
+        // temp. S3 credentials that have a different - usually
+        // shorter - livetime.
+        //
+        // The default livetime is one hour.
+        S3CredentialLivetime time.Duration
+        // Client is the HTTP client used to authenticate and fetch
+        // S3 credentials.
+        //
+        // A custom TLS client configuration can be specified by
+        // using a custom http.Transport:
+        //   Client: http.Client {
+        //       Transport: &http.Transport{
+        //           TLSClientConfig: &tls.Config{},
+        //       },
+        //   }
+        Client http.Client
+}
+var _ Provider = (*STSWebIdentity)(nil) // compiler check
+// NewSTSCertificateIdentity returns a STSCertificateIdentity that authenticates
+// to the given STS endpoint with the given TLS certificate and retrieves and
+// rotates S3 credentials.
+func NewSTSCertificateIdentity(endpoint string, certificate tls.Certificate, options ...CertificateIdentityOption) (*Credentials, error) {
+        if endpoint == "" {
+                return nil, errors.New("STS endpoint cannot be empty")
+        }
+        if _, err := url.Parse(endpoint); err != nil {
+                return nil, err
+        }
+        identity := &STSCertificateIdentity{
+                STSEndpoint: endpoint,
+                Client: http.Client{
+                        Transport: &http.Transport{
+                                Proxy: http.ProxyFromEnvironment,
+                                DialContext: (&net.Dialer{
+                                        Timeout:   30 * time.Second,
+                                        KeepAlive: 30 * time.Second,
+                                }).DialContext,
+                                ForceAttemptHTTP2:     true,
+                                MaxIdleConns:          100,
+                                IdleConnTimeout:       90 * time.Second,
+                                TLSHandshakeTimeout:   10 * time.Second,
+                                ExpectContinueTimeout: 5 * time.Second,
+                                TLSClientConfig: &tls.Config{
+                                        Certificates: []tls.Certificate{certificate},
+                                },
+                        },
+                },
+        }
+        for _, option := range options {
+                option(identity)
+        }
+        return New(identity), nil
+}
+// Retrieve fetches a new set of S3 credentials from the configured
+// STS API endpoint.
+func (i *STSCertificateIdentity) Retrieve() (Value, error) {
+        endpointURL, err := url.Parse(i.STSEndpoint)
+        if err != nil {
+                return Value{}, err
+        }
+        livetime := i.S3CredentialLivetime
+        if livetime == 0 {
+                livetime = 1 * time.Hour
+        }
+        queryValues := url.Values{}
+        queryValues.Set("Action", "AssumeRoleWithCertificate")
+        queryValues.Set("Version", STSVersion)
+        endpointURL.RawQuery = queryValues.Encode()
+        req, err := http.NewRequest(http.MethodPost, endpointURL.String(), nil)
+        if err != nil {
+                return Value{}, err
+        }
+        if req.Form == nil {
+                req.Form = url.Values{}
+        }
+        req.Form.Add("DurationSeconds", strconv.FormatUint(uint64(livetime.Seconds()), 10))
+        resp, err := i.Client.Do(req)
+        if err != nil {
+                return Value{}, err
+        }
+        if resp.Body != nil {
+                defer resp.Body.Close()
+        }
+        if resp.StatusCode != http.StatusOK {
+                var errResp ErrorResponse
+                buf, err := io.ReadAll(resp.Body)
+                if err != nil {
+                        return Value{}, err
+                }
+                _, err = xmlDecodeAndBody(bytes.NewReader(buf), &errResp)
+                if err != nil {
+                        var s3Err Error
+                        if _, err = xmlDecodeAndBody(bytes.NewReader(buf), &s3Err); err != nil {
+                                return Value{}, err
+                        }
+                        errResp.RequestID = s3Err.RequestID
+                        errResp.STSError.Code = s3Err.Code
+                        errResp.STSError.Message = s3Err.Message
+                }
+                return Value{}, errResp
+        }
+        const MaxSize = 10 * 1 << 20
+        var body io.Reader = resp.Body
+        if resp.ContentLength > 0 && resp.ContentLength < MaxSize {
+                body = io.LimitReader(body, resp.ContentLength)
+        } else {
+                body = io.LimitReader(body, MaxSize)
+        }
+        var response assumeRoleWithCertificateResponse
+        if err = xml.NewDecoder(body).Decode(&response); err != nil {
+                return Value{}, err
+        }
+        i.SetExpiration(response.Result.Credentials.Expiration, DefaultExpiryWindow)
+        return Value{
+                AccessKeyID:     response.Result.Credentials.AccessKey,
+                SecretAccessKey: response.Result.Credentials.SecretKey,
+                SessionToken:    response.Result.Credentials.SessionToken,
+                SignerType:      SignatureDefault,
+        }, nil
+}
+// Expiration returns the expiration time of the current S3 credentials.
+func (i *STSCertificateIdentity) Expiration() time.Time { return i.expiration }
+type assumeRoleWithCertificateResponse struct {
+        XMLName xml.Name `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithCertificateResponse" json:"-"`
+        Result  struct {
+                Credentials struct {
+                        AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`
+                        SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`
+                        Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
+                        SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
+                } `xml:"Credentials" json:"credentials,omitempty"`
+        } `xml:"AssumeRoleWithCertificateResult"`
+        ResponseMetadata struct {
+                RequestID string `xml:"RequestId,omitempty"`
+        } `xml:"ResponseMetadata,omitempty"`
+}
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_web_identity.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_web_identity.go
new file mode 100644
index 0000000..2e2af50
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/sts_web_identity.go
@@ -0,0 +1,205 @@
+/*
+ * MinIO Go Library for Amazon S3 Compatible Cloud Storage
+ * Copyright 2019-2022 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package credentials
+import (
+        "bytes"
+        "encoding/xml"
+        "errors"
+        "fmt"
+        "io"
+        "net/http"
+        "net/url"
+        "strconv"
+        "strings"
+        "time"
+)
+// AssumeRoleWithWebIdentityResponse contains the result of successful AssumeRoleWithWebIdentity request.
+type AssumeRoleWithWebIdentityResponse struct {
+        XMLName          xml.Name          `xml:"https://sts.amazonaws.com/doc/2011-06-15/ AssumeRoleWithWebIdentityResponse" json:"-"`
+        Result           WebIdentityResult `xml:"AssumeRoleWithWebIdentityResult"`
+        ResponseMetadata struct {
+                RequestID string `xml:"RequestId,omitempty"`
+        } `xml:"ResponseMetadata,omitempty"`
+}
+// WebIdentityResult - Contains the response to a successful AssumeRoleWithWebIdentity
+// request, including temporary credentials that can be used to make MinIO API requests.
+type WebIdentityResult struct {
+        AssumedRoleUser AssumedRoleUser `xml:",omitempty"`
+        Audience        string          `xml:",omitempty"`
+        Credentials     struct {
+                AccessKey    string    `xml:"AccessKeyId" json:"accessKey,omitempty"`
+                SecretKey    string    `xml:"SecretAccessKey" json:"secretKey,omitempty"`
+                Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
+                SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
+        } `xml:",omitempty"`
+        PackedPolicySize            int    `xml:",omitempty"`
+        Provider                    string `xml:",omitempty"`
+        SubjectFromWebIdentityToken string `xml:",omitempty"`
+}
+// WebIdentityToken - web identity token with expiry.
+type WebIdentityToken struct {
+        Token       string
+        AccessToken string
+        Expiry      int
+}
+// A STSWebIdentity retrieves credentials from MinIO service, and keeps track if
+// those credentials are expired.
+type STSWebIdentity struct {
+        Expiry
+        // Required http Client to use when connecting to MinIO STS service.
+        Client *http.Client
+        // Exported STS endpoint to fetch STS credentials.
+        STSEndpoint string
+        // Exported GetWebIDTokenExpiry function which returns ID
+        // tokens from IDP. This function should return two values
+        // one is ID token which is a self contained ID token (JWT)
+        // and second return value is the expiry associated with
+        // this token.
+        // This is a customer provided function and is mandatory.
+        GetWebIDTokenExpiry func() (*WebIdentityToken, error)
+        // RoleARN is the Amazon Resource Name (ARN) of the role that the caller is
+        // assuming.
+        RoleARN string
+        // roleSessionName is the identifier for the assumed role session.
+        roleSessionName string
+}
+// NewSTSWebIdentity returns a pointer to a new
+// Credentials object wrapping the STSWebIdentity.
+func NewSTSWebIdentity(stsEndpoint string, getWebIDTokenExpiry func() (*WebIdentityToken, error)) (*Credentials, error) {
+        if stsEndpoint == "" {
+                return nil, errors.New("STS endpoint cannot be empty")
+        }
+        if getWebIDTokenExpiry == nil {
+                return nil, errors.New("Web ID token and expiry retrieval function should be defined")
+        }
+        return New(&STSWebIdentity{
+                Client: &http.Client{
+                        Transport: http.DefaultTransport,
+                },
+                STSEndpoint:         stsEndpoint,
+                GetWebIDTokenExpiry: getWebIDTokenExpiry,
+        }), nil
+}
+func getWebIdentityCredentials(clnt *http.Client, endpoint, roleARN, roleSessionName string,
+        getWebIDTokenExpiry func() (*WebIdentityToken, error),
+) (AssumeRoleWithWebIdentityResponse, error) {
+        idToken, err := getWebIDTokenExpiry()
+        if err != nil {
+                return AssumeRoleWithWebIdentityResponse{}, err
+        }
+        v := url.Values{}
+        v.Set("Action", "AssumeRoleWithWebIdentity")
+        if len(roleARN) > 0 {
+                v.Set("RoleArn", roleARN)
+                if len(roleSessionName) == 0 {
+                        roleSessionName = strconv.FormatInt(time.Now().UnixNano(), 10)
+                }
+                v.Set("RoleSessionName", roleSessionName)
+        }
+        v.Set("WebIdentityToken", idToken.Token)
+        if idToken.AccessToken != "" {
+                // Usually set when server is using extended userInfo endpoint.
+                v.Set("WebIdentityAccessToken", idToken.AccessToken)
+        }
+        if idToken.Expiry > 0 {
+                v.Set("DurationSeconds", fmt.Sprintf("%d", idToken.Expiry))
+        }
+        v.Set("Version", STSVersion)
+        u, err := url.Parse(endpoint)
+        if err != nil {
+                return AssumeRoleWithWebIdentityResponse{}, err
+        }
+        req, err := http.NewRequest(http.MethodPost, u.String(), strings.NewReader(v.Encode()))
+        if err != nil {
+                return AssumeRoleWithWebIdentityResponse{}, err
+        }
+        req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+        resp, err := clnt.Do(req)
+        if err != nil {
+                return AssumeRoleWithWebIdentityResponse{}, err
+        }
+        defer resp.Body.Close()
+        if resp.StatusCode != http.StatusOK {
+                var errResp ErrorResponse
+                buf, err := io.ReadAll(resp.Body)
+                if err != nil {
+                        return AssumeRoleWithWebIdentityResponse{}, err
+                }
+                _, err = xmlDecodeAndBody(bytes.NewReader(buf), &errResp)
+                if err != nil {
+                        var s3Err Error
+                        if _, err = xmlDecodeAndBody(bytes.NewReader(buf), &s3Err); err != nil {
+                                return AssumeRoleWithWebIdentityResponse{}, err
+                        }
+                        errResp.RequestID = s3Err.RequestID
+                        errResp.STSError.Code = s3Err.Code
+                        errResp.STSError.Message = s3Err.Message
+                }
+                return AssumeRoleWithWebIdentityResponse{}, errResp
+        }
+        a := AssumeRoleWithWebIdentityResponse{}
+        if err = xml.NewDecoder(resp.Body).Decode(&a); err != nil {
+                return AssumeRoleWithWebIdentityResponse{}, err
+        }
+        return a, nil
+}
+// Retrieve retrieves credentials from the MinIO service.
+// Error will be returned if the request fails.
+func (m *STSWebIdentity) Retrieve() (Value, error) {
+        a, err := getWebIdentityCredentials(m.Client, m.STSEndpoint, m.RoleARN, m.roleSessionName, m.GetWebIDTokenExpiry)
+        if err != nil {
+                return Value{}, err
+        }
+        // Expiry window is set to 10secs.
+        m.SetExpiration(a.Result.Credentials.Expiration, DefaultExpiryWindow)
+        return Value{
+                AccessKeyID:     a.Result.Credentials.AccessKey,
+                SecretAccessKey: a.Result.Credentials.SecretKey,
+                SessionToken:    a.Result.Credentials.SessionToken,
+                SignerType:      SignatureV4,
+        }, nil
+}
+// Expiration returns the expiration time of the credentials
+func (m *STSWebIdentity) Expiration() time.Time {
+        return m.expiration
+}