S3 key "aws:SecureTransport" isn't properly set with Minio SSL Setup

[UKFr-DIZ]

Hi,

I have configured properly a SSL setup for the minio server.
We have a simply apache reverse proxy in front of the minio server (+ console) which handles the SSL termination.
The proxy does locally communicate with HTTP with the minio server, however that shouldn't affect the aws:SecureTransport context var.

console/api/user_session.go

Line 112 in 649c3d7

condition.AWSSecureTransport.Name(): {strconv.FormatBool(getMinIOEndpointIsSecure())},

It should be set to true, as long as the MINIO_SERVER_URL starts with https. Our url looks like this : https://<server>:9000. The MINIO_BROWSER_REDIRECT_URL looks the same just no portnumber at the end (443).

Given the "only SSL" IAM Policy below it fails to properly work, which leads to my understanding

Expected Behavior

When setting the following policy, I expect to be able to access all buckets regularly, given I have the proper SSL setup. Meaning the aws:SecureTransport variable should always be set true.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow SSL communication only",
            "Effect": "Deny",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": [
                        "false"
                    ]
                }
            }
        }
    ]
}

Current Behavior

When enabling that policy for a user it false denies all s3 access / rights.

Any idea how to progress with debugging or analyzing the problem ? I don't know how to actually check the s3 context keys.

Your Environment

• MinIO version used (minio --version): minio version RELEASE.2024-02-06T21-36-22Z (commit-id=980fb5e2ab3674287207c9388bb8fda7a142cc64)
  Runtime: go1.21.6 linux/amd64
• Server setup and configuration: Linux Ubuntu Server 22.02