I am using Python MinIO SDK, but there are admin operations that it cannot do, and then we use the mc binary instead. But the binary has all these files on disk that we can't have in our ENV so we need to kick it out.

I'm trying to simulate what the binary does, and while reviewing the --debug option I noticed that it access the following:

<DEBUG> PUT /minio/admin/v3/add-service-account HTTP/1.1
Host: myminio.server:9000
User-Agent: MinIO (linux; amd64) madmin-go/3.0.70 mc/RELEASE.2025-01-17T23-25-50Z
Content-Length: 254
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=myuser/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: 2......
X-Amz-Date: 2...

(edited based on comment) Then, I tried taking the parameters to some requests.put example, but I'm unable to make it work

import requests
from requests_aws4auth import AWS4Auth

auth = AWS4Auth(ak, sk, '', 's3')

headers = {
  "MINIO_ACCESS_KEY": "a...",
  "MINIO_SECRET_KEY": "m...",
  "MINIO_PATH": "auto",
  "MINIO_API": "s3v4"
}

res = requests.get(":9000/minio/admin/v3/list-access-keys-bulk?all=true&listType=all",
             auth=auth,
             verify=False)

The headers look great, yet i'm unable to match the signature

{
  "Code": "SignatureDoesNotMatch",
  "Message": "The request signature we calculated does not match the signature you provided. Check your key and signing method.",
  "Resource": "/minio/admin/v3/list-access-keys-bulk",
  "RequestId": "1...",
  "HostId": "d..."
}

# request headers looks the same as the `mc` binary
'x-amz-date': '20250203T094648Z', 
'x-amz-content-sha256': 'e3b0...', 
'Authorization': 'AWS4-HMAC-SHA256 Credential=myuser/20250203//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**'

Error I get makes me believe it's not that simple to implement. Anyone knows how to make it work?

I am using Python MinIO SDK, but there are admin operations that it cannot do, and then we use the mc binary instead. But the binary has all these files on disk that we can't have in our ENV so we need to kick it out.

I'm trying to simulate what the binary does, and while reviewing the --debug option I noticed that it access the following:

<DEBUG> PUT /minio/admin/v3/add-service-account HTTP/1.1
Host: myminio.server:9000
User-Agent: MinIO (linux; amd64) madmin-go/3.0.70 mc/RELEASE.2025-01-17T23-25-50Z
Content-Length: 254
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=myuser/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: 2......
X-Amz-Date: 2...

(edited based on comment) Then, I tried taking the parameters to some requests.put example, but I'm unable to make it work

import requests
from requests_aws4auth import AWS4Auth

auth = AWS4Auth(ak, sk, '', 's3')

headers = {
  "MINIO_ACCESS_KEY": "a...",
  "MINIO_SECRET_KEY": "m...",
  "MINIO_PATH": "auto",
  "MINIO_API": "s3v4"
}

res = requests.get("https://myminio.server:9000/minio/admin/v3/list-access-keys-bulk?all=true&listType=all",
             auth=auth,
             verify=False)

The headers look great, yet i'm unable to match the signature

{
  "Code": "SignatureDoesNotMatch",
  "Message": "The request signature we calculated does not match the signature you provided. Check your key and signing method.",
  "Resource": "/minio/admin/v3/list-access-keys-bulk",
  "RequestId": "1...",
  "HostId": "d..."
}

# request headers looks the same as the `mc` binary
'x-amz-date': '20250203T094648Z', 
'x-amz-content-sha256': 'e3b0...', 
'Authorization': 'AWS4-HMAC-SHA256 Credential=myuser/20250203//s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**'

Error I get makes me believe it's not that simple to implement. Anyone knows how to make it work?

• python
• python-3.x
• minio

• 1 You could try using requests_aws4auth—it wraps the requests library to handle AWS Signature v4 authentication, which might help with MinIO or other AWS-compatible services. Just a suggestion. – Rakesh B Sirvi Commented Feb 3 at 8:02
• I think it's getting better, yet i'm doing something wrong: {"Code":"SignatureDoesNotMatch","Message":"The request signature we calculated does not match the signature you provided. Check your key and signing method.} i'll update my example above – Ricky Levi Commented Feb 3 at 9:44
• what region did you use in your minIO server? If you haven't then there must be a default value which the server allots. – Rakesh B Sirvi Commented Feb 3 at 13:09
• Default value is us-east-1 . Note: When used with minio server, use the region specified in its config file (defaults to us-east-1). Resource : Bucket region You have not set the region while initializing the auth object : auth = AWS4Auth(ak, sk, '', 's3') – Rakesh B Sirvi Commented Feb 3 at 13:14
• 1 I found a script inside minio which isn't documented, called: github/minio/minio-py/blob/master/minio/minioadmin.py, and I was able to create users as admin ! i'll update my answer – Ricky Levi Commented Feb 3 at 19:47

1 Answer 1

Found an undocumented script that does what I need, called minioadmin

import urllib3
from minio import minioadmin
from minio import Minio

access_key = 'myAdminUser'
secret_key = 'myAdminPassword'
endpoint   = 'myminio.server:9000'
CA         = '/path/to/my/ca.pem'    

http_client = urllib3.PoolManager(cert_reqs='CERT_REQUIRED', ca_certs=CA)
client = Minio(endpoint, access_key, secret_key, secure=True, http_client=http_client)

# Special object Credentials that is generated inside
credentials = client._provider

madmin = minioadmin.MinioAdmin(endpoint, credentials=credentials, secure=True, cert_check=True, http_client=http_client)
res = madmin.add_service_account('new_user', 'newhashpass', name='new_user_token', expiration='2025-02-03T17:04:05Z', description='My New User')
#                 ^^^
#      This is: /bin/mc admin accesskey create ....


token = json.loads(res['credentials'])
# token['accessKey'], token['secretKey']