Add `CONSOLE_CREDENTIALS_URL` env var for service account credentials download

[chriswydra]

Problem

When creating a service account and using "Download for import" to get a credentials.json file, the url field in the downloaded JSON contains the value from CONSOLE_MINIO_SERVER (the internal console-to-S3 connection URL).

In many deployments, this internal URL differs from the external S3 endpoint that clients should actually use. For example:

• Internal: http://minio:9000 (Kubernetes service name)
• External: https://s3.example.com (public endpoint)

This makes the downloaded credentials.json unusable with tools like mc alias import without manual editing.

Current Behavior

In api/service_accounts_handlers.go, the URL is set via getMinIOServer():

return &models.ServiceAccountCreds{AccessKey: creds.AccessKey, SecretKey: creds.SecretKey, URL: getMinIOServer()}, nil

Which reads from CONSOLE_MINIO_SERVER in api/config.go:

func getMinIOServer() string {
    return strings.TrimSpace(env.Get(ConsoleMinIOServer, "http://localhost:9000"))
}

Proposed Solution

Add a new environment variable CONSOLE_CREDENTIALS_URL that allows administrators to specify the external S3 endpoint URL for downloaded credentials.

In api/consts.go:

ConsoleCredentialsURL = "CONSOLE_CREDENTIALS_URL"

In api/config.go:

func getCredentialsURL() string {
    // Check for explicit credentials endpoint URL (the external S3 URL clients should use)
    if url := env.Get(ConsoleCredentialsURL, ""); url != "" {
        return strings.TrimSpace(url)
    }
    // Fall back to the console's S3 server connection (existing behavior)
    return getMinIOServer()
}

In api/service_accounts_handlers.go:
Replace getMinIOServer() with getCredentialsURL() in the credential return statements.

Why Not Use Backend-Specific Variables?

This approach keeps opens3/console agnostic of the S3 backend. Rather than checking for MinIO-specific variables like MINIO_SERVER_URL, a console-native env var works for any S3-compatible backend:

• MinIO
• Ceph/RadosGW
• AWS S3
• Any S3-compatible storage

Example Usage

environment:
  - CONSOLE_MINIO_SERVER=http://minio:9000        # Internal connection
  - CONSOLE_CREDENTIALS_URL=https://s3.example.com # External endpoint for credentials

Backward Compatibility

When CONSOLE_CREDENTIALS_URL is not set, behavior remains unchanged (falls back to CONSOLE_MINIO_SERVER).

[chriswydra]

Update: Bug Confirmed in Frontend

After further investigation, I've confirmed the issue is in the frontend, not just the backend.

Actual Observed Behavior

When downloading credentials, the credentials.json contains:

{
  "url": "https://minio.example.com/api/v1/service-account-credentials",
  "accessKey": "...",
  "secretKey": "...",
  "api": "s3v4",
  "path": "auto"
}

Notice the URL is:

1. The Console URL (e.g., minio.example.com) - not the S3 API URL (e.g., s3.example.com)
2. Has the API endpoint path appended (/api/v1/service-account-credentials)

This makes the credentials completely unusable with mc alias import:

mc: <ERROR> Invalid URL. URL `https://minio.example.com/api/v1/service-account-credentials` for MinIO Client should be of the form scheme://host[:port]/ without resource component.

Root Cause Analysis

The backend API likely returns the correct URL from getMinIOServer(), but the frontend appears to be overwriting the url field with the request URL it used to fetch the credentials.

The fix may need to be in the frontend React code (likely in CredentialsPrompt.tsx or wherever the download is generated), in addition to or instead of the backend.

Environment Context

• MINIO_SERVER_URL is correctly set to the S3 API URL
• MINIO_BROWSER_REDIRECT_URL is set to the Console URL
• Backend passes MINIO_SERVER_URL → CONSOLE_MINIO_SERVER to the console
• Despite this, the downloaded credentials contain the Console URL + API path

This suggests the frontend is constructing the credentials.json client-side using window.location or similar, rather than using the URL returned by the API.