minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-21 12:02:14 +03:00
Code Activity

Expand the mc admin user docs (#836)

Browse Source 
Restructure the existing `mc admin user` page into separate pages for
each subcommand. Also add missing details and correct errors.

Staged:

http://192.241.195.202:9000/staging/DOCS-785/linux/html/reference/minio-mc-admin/mc-admin-user.html

Fixes https://github.com/minio/docs/issues/785
This commit is contained in:
Andrea Longo
2023-04-28 14:03:11 -06:00
committed by GitHub
parent 1a0905f70e
commit 1c5454955b
18 changed files with 1588 additions and 780 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
source/reference/minio-mc-admin.rst
View File

@ -140,16 +140,6 @@ The following table lists :mc:`mc admin` commands:
:start-after: start-mc-admin-user-desc :start-after: start-mc-admin-user-desc
:end-before: end-mc-admin-user-desc :end-before: end-mc-admin-user-desc
* - :mc:`mc admin user svcacct`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct.rst
:start-after: start-mc-admin-user-svcacct-desc
:end-before: end-mc-admin-user-svcacct-desc
* - :mc:`mc admin user sts`
- .. include:: /reference/minio-mc-admin/mc-admin-user-sts.rst
:start-after: start-mc-admin-user-sts-desc
:end-before: end-mc-admin-user-sts-desc
.. _mc-admin-install: .. _mc-admin-install:
Installation Installation
@ -227,4 +217,4 @@ See :ref:`minio-mc-global-options`.
/reference/minio-mc-admin/mc-admin-trace /reference/minio-mc-admin/mc-admin-trace
/reference/minio-mc-admin/mc-admin-update /reference/minio-mc-admin/mc-admin-update
/reference/minio-mc-admin/mc-admin-user /reference/minio-mc-admin/mc-admin-user
/reference/minio-mc-admin/mc-admin-user-svcacct

132
source/reference/minio-mc-admin/mc-admin-user-add.rst Normal file
View File

@ -0,0 +1,132 @@
.. _minio-mc-admin-user-add:
=====================
``mc admin user add``
=====================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user add
Syntax
------
.. start-mc-admin-user-add-desc
The :mc:`mc admin user add` command adds a new :ref:`MinIO user <minio-internal-idp>` to the target MinIO deployment.
.. end-mc-admin-user-add-desc
To manage external Identity Provider users, see :mc:`OIDC <mc admin idp openid>` or :mc:`AD/LDAP <mc admin idp ldap>`.
.. tab-set::
.. tab-item:: EXAMPLE
The following command creates a new user ``newuser`` on the ``myminio`` MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user add myminio newuser newusersecret
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user add \
ALIAS \
ACCESSKEY \
SECRETKEY
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ACCESSKEY
:required:
The access key that uniquely identifies the new user, similar to a username.
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of a configured MinIO deployment on which to create the new user.
.. mc-cmd:: SECRETKEY
:required:
The secret key for the new user. Consider the following guidance when creating a secret key:
- The key should be *unique*
- The key should be *long* (Greater than 12 characters)
- The key should be *complex* (A mixture of characters, numerals, and symbols)
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Example
-------
Create a New User
~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user add` to create a user on a MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user add ALIAS ACCESSKEY SECRETKEY
- Replace :mc-cmd:`ALIAS <mc admin user add ALIAS>` with the :mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`ACCESSKEY <mc admin user add ACCESSKEY>` with the access key for the user.
- Replace :mc-cmd:`SECRETKEY <mc admin user add SECRETKEY>` with the secret key for the user.
MinIO *does not* provide any method for retrieving the secret key once set.
Specify a unique, random, and long string for both the ``ACCESSKEY`` and ``SECRETKEY``.
Your organization may have specific internal or regulatory requirements around generating values for use with access or secret keys.
Behavior
--------
New Users Have No Default Policies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Newly created users have *no* policies by default and therefore cannot perform any operations on the MinIO deployment.
To configure a user's assigned policies, you can do either or both of the following:
- Use :mc-cmd:`mc admin policy attach` to associate one or more policies to the user.
- Use :mc-cmd:`mc admin group add` to associate the user to the group.
Users inherit any policies assigned to the group.
For more information on MinIO users and groups, see :ref:`minio-users` and :ref:`minio-groups`.
For more information on MinIO policies, see :ref:`MinIO Policy Based Access Control <minio-policy>`.
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

105
source/reference/minio-mc-admin/mc-admin-user-disable.rst Normal file
View File

@ -0,0 +1,105 @@
.. _minio-mc-admin-user-disable:
=========================
``mc admin user disable``
=========================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user disable
Syntax
------
.. start-mc-admin-user-disable-desc
The :mc:`mc admin user disable` command disables a :ref:`MinIO user <minio-internal-idp>` on the target MinIO deployment.
.. end-mc-admin-user-disable-desc
Clients cannot use the user credentials to authenticate to the MinIO deployment.
Disabling a user does *not* remove that user from the deployment.
Use :mc-cmd:`mc admin user enable` to enable a disabled user on a MinIO deployment.
To manage external Identity Provider users, see :mc:`OIDC <mc admin idp openid>` or :mc:`AD/LDAP <mc admin idp ldap>`.
.. tab-set::
.. tab-item:: EXAMPLE
The following command disables user ``myuser`` on the ``myminio`` MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user disable myminio myuser
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user disable \
ALIAS \
USERNAME
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc:`alias <mc alias>` of the MinIO deployment with the user to disable.
.. mc-cmd:: USERNAME
:required:
The username of the user to disable.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Example
-------
Disable a User
~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user disable` to disable a user on a MinIO deployment.
.. code-block:: shell
:class: copyable
mc admin user disable ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user disable TARGET>` with the :mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`USERNAME <mc admin user disable USERNAME>` with the username of the user to disable.
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

105
source/reference/minio-mc-admin/mc-admin-user-enable.rst Normal file
View File

@ -0,0 +1,105 @@
.. _minio-mc-admin-user-enable:
========================
``mc admin user enable``
========================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user enable
Syntax
------
.. start-mc-admin-user-enable-desc
The :mc:`mc admin user enable` command enables a :ref:`MinIO user <minio-internal-idp>` on the target MinIO deployment.
.. end-mc-admin-user-enable-desc
Clients can only use enabled users to authenticate to the MinIO deployment.
Users created using :mc-cmd:`mc admin user add` are enabled by default.
To manage external Identity Provider users, see :mc:`OIDC <mc admin idp openid>` or :mc:`AD/LDAP <mc admin idp ldap>`.
.. tab-set::
.. tab-item:: EXAMPLE
The following command enables user ``myuser`` on the ``myminio`` MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user enable myminio myuser
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user enable \
ALIAS \
USERNAME
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc:`alias <mc alias>` of the MinIO deployment with the user to enable.
.. mc-cmd:: USERNAME
:required:
The username of the user to enable.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Example
-------
Enable a User
~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user enable` to enable a user on a MinIO deployment.
.. code-block:: shell
:class: copyable
mc admin user enable ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user enable ALIAS>` with the :mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`USERNAME <mc admin user enable USERNAME>` with the username of the user to enable.
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

110
source/reference/minio-mc-admin/mc-admin-user-info.rst Normal file
View File

@ -0,0 +1,110 @@
.. _minio-mc-admin-user-info:
======================
``mc admin user info``
======================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user info
Syntax
------
.. start-mc-admin-user-info-desc
The :mc:`mc admin user info` command returns detailed information of a :ref:`MinIO user <minio-internal-idp>` on the target MinIO deployment.
.. end-mc-admin-user-info-desc
To manage external Identity Provider users, see :mc:`OIDC <mc admin idp openid>` or :mc:`AD/LDAP <mc admin idp ldap>`.
.. tab-set::
.. tab-item:: EXAMPLE
The following command returns details of user ``myuser`` on the ``myminio`` MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user info myminio myuser
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user info \
ALIAS \
USERNAME
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of a configured MinIO deployment to retrieve user information from.
.. mc-cmd:: USERNAME
The username to retrieve information for.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Example
-------
View User Details
~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user info` to view detailed user information for a user on a MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user info ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user info ALIAS>` with the :mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`USERNAME <mc admin user info USERNAME>` with the username of the user to display information for.
The output resembles the following:
.. code-block:: shell
AccessKey: myuser
Status: enabled
PolicyName: readwrite
MemberOf:
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

105
source/reference/minio-mc-admin/mc-admin-user-list.rst Normal file
View File

@ -0,0 +1,105 @@
.. _minio-mc-admin-user-list:
======================
``mc admin user list``
======================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user list
Syntax
------
.. start-mc-admin-user-list-desc
The :mc:`mc admin user list` command lists all :ref:`MinIO users <minio-internal-idp>` on the target MinIO deployment.
.. end-mc-admin-user-list-desc
:mc-cmd:`mc admin user list` does *not* return the access key or secret key associated to a user.
Use :mc-cmd:`mc admin user info` to retrieve detailed user information, including the user access key.
To manage external Identity Provider users, see :mc:`OIDC <mc admin idp openid>` or :mc:`AD/LDAP <mc admin idp ldap>`.
.. tab-set::
.. tab-item:: EXAMPLE
The following command lists all users on the ``myminio`` MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user list myminio
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user list \
ALIAS
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of a configured MinIO deployment from which the command lists users.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Example
-------
List Available Users
~~~~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user list` to list all users on a MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user list ALIAS
- Replace :mc-cmd:`ALIAS <mc admin user list ALIAS>` with the :mc-cmd:`alias <mc alias>` of the MinIO deployment.
The output resembles the following:
.. code-block:: shell
enabled devadmin readwrite
enabled devtest readonly
enabled newuser
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

100
source/reference/minio-mc-admin/mc-admin-user-remove.rst Normal file
View File

@ -0,0 +1,100 @@
.. _minio-mc-admin-user-remove:
========================
``mc admin user remove``
========================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user remove
Syntax
------
.. start-mc-admin-user-remove-desc
The :mc:`mc admin user remove` command removes a :ref:`MinIO user <minio-internal-idp>` on the target MinIO deployment.
.. end-mc-admin-user-remove-desc
To manage external Identity Provider users, see :mc:`OIDC <mc admin idp openid>` or :mc:`AD/LDAP <mc admin idp ldap>`.
.. tab-set::
.. tab-item:: EXAMPLE
The following command removes user ``myuser`` on the ``myminio`` MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user remove myminio myuser
.. tab-item:: SYNTAX
Removes a user on the target MinIO deployment.
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user remove \
ALIAS \
USERNAME
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc:`alias <mc alias>` of the configured MinIO deployment with the user to remove.
.. mc-cmd:: USERNAME
:required:
The username of the user to remove.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Example
-------
Remove a User
~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user remove` to remove a user from a MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user remove ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user remove TARGET>` with the :mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`USERNAME <mc admin user remove USERNAME>` with the username of the user to remove.
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

90
source/reference/minio-mc-admin/mc-admin-user-sts-info.rst Normal file
View File

@ -0,0 +1,90 @@
.. _minio-mc-admin-sts-info:
==============================
``mc admin user sts info``
==============================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user sts info
Syntax
------
.. start-mc-admin-sts-info-desc
The :mc-cmd:`mc admin user sts info` command retrieves information on the specified STS credential, such as the parent :ref:`MinIO user <minio-internal-idp>` who generated the credentials, associated policies, and expiration.
.. end-mc-admin-sts-info-desc
:abbr:`STS (Security Token Service)` credentials provide temporary access to the MinIO deployment.
.. tab-set::
.. tab-item:: EXAMPLE
The following command retrieves information on the STS credentials with specified access key:
.. code-block:: shell
:class: copyable
mc admin user sts info myminio/ "J123C4ZXEQN8RK6ND35I"
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user sts info \
[--policy] \
ALIAS \
STSACCESSKEY
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of the MinIO deployment.
.. mc-cmd:: STSACCESSKEY
:required:
The access key for the STS credentials.
.. mc-cmd:: --policy
:optional:
Prints the policy attached to the specified STS credentials in JSON format.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

89
source/reference/minio-mc-admin/mc-admin-user-sts.rst
View File

@ -1,89 +0,0 @@
.. _minio-mc-admin-user-sts:
=====================
``mc admin user sts``
=====================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user sts
Description
-----------
.. versionadded:: RELEASE.2023-02-16T19-20-11Z
.. start-mc-admin-user-sts-desc
The :mc:`mc admin user sts` command operates on credentials generated using a :ref:`Security Token Service (STS) <minio-security-token-service>` API.
.. end-mc-admin-user-sts-desc
:abbr:`STS (Security Token Service)` credentials provide temporary access to the MinIO deployment.
.. admonition:: Use ``mc admin`` on MinIO Deployments Only
:class: note
.. include:: /includes/facts-mc-admin.rst
:start-after: start-minio-only
:end-before: end-minio-only
The :mc:`mc admin user sts` command has the following subcommands:
.. list-table::
:header-rows: 1
:widths: 40 60
* - Subcommand
- Description
* - :mc-cmd:`mc admin user sts info`
- Retrieves information on the specified STS credential, including the parent user who generated the credentials, associated policies, and expiration.
Syntax
------
.. mc-cmd:: info
:fullpath:
Retrieves information on the specified STS credential, such as the parent user who generated the credentials, associated policies, and expiration.
.. tab-set::
.. tab-item:: EXAMPLE
The following command retrieves information on the STS credentials with specified access key:
.. code-block:: shell
:class: copyable
mc admin user sts info myminio/ "J123C4ZXEQN8RK6ND35I"
.. tab-item:: SYNTAX
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user sts info \
[--policy] \
ALIAS \
STSACCESSKEY
.. mc-cmd:: ALIAS
:required:
The :ref:`alias <alias>` of the MinIO deployment for which the STS credentials were generated.
.. mc-cmd:: STSACCESSKEY
:required:
The access key for the STS credentials.
.. mc-cmd:: --policy
:optional:
Prints the policy attached to the specified STS credentials in JSON format.

127
source/reference/minio-mc-admin/mc-admin-user-svcacct-add.rst Normal file
View File

@ -0,0 +1,127 @@
.. _minio-mc-admin-svcacct-add:
=============================
``mc admin user svcacct add``
=============================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user svcacct add
Syntax
------
.. start-mc-admin-svcacct-add-desc
The :mc-cmd:`mc admin user svcacct add` command adds a new access key to an existing MinIO or AD/LDAP user.
.. end-mc-admin-svcacct-add-desc
.. admonition:: Access keys for OpenID Connect users
:class: note
To generate service account access keys for :ref:`OpenID Connect users <minio-external-identity-management-openid>`, use the :ref:`MinIO Console <minio-console>`.
.. tab-set::
.. tab-item:: EXAMPLE
The following command creates a new access key associated to an existing MinIO user:
.. code-block:: shell
:class: copyable
mc admin user svcacct add \
--access-key "myuserserviceaccount" \
--secret-key "myuserserviceaccountpassword" \
--policy "/path/to/policy.json" \
myminio myuser
The command returns the access key and secret key for the new account.
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct add \
[--access-key] \
[--secret-key] \
[--policy] \
[--comment] \
ALIAS \
USER
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of the MinIO deployment.
.. mc-cmd:: USER
:required:
The username of the user to which MinIO adds the new access key.
- For :ref:`MinIO-managed users <minio-users>`, specify the access key for the user.
- For :ref:`Active Directory/LDAP users <minio-external-identity-management-ad-ldap>`, specify the Distinguished Name of the user.
- For :ref:`OpenID Connect users <minio-external-identity-management-openid>`, use the :ref:`MinIO Console <minio-console>` to generate access keys.
.. mc-cmd:: --access-key
:optional:
A string to use as the access key for this account. Omit to let MinIO autogenerate a random value.
Access Key names *must* be unique across all users.
.. mc-cmd:: --comment
:optional:
.. versionadded:: RELEASE.2023-01-28T20-29-38Z
Add a note to the service account.
For example, you might specify the reason the service account exists.
.. mc-cmd:: --policy
:optional:
The path to a :ref:`policy document <minio-policy>` to attach to the new access key.
The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies.
.. mc-cmd:: --secret-key
:optional:
The secret key to associate with the new account. Omit to let MinIO autogenerate a random value.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

82
source/reference/minio-mc-admin/mc-admin-user-svcacct-disable.rst Normal file
View File

@ -0,0 +1,82 @@
.. _minio-mc-admin-svcacct-disable:
=================================
``mc admin user svcacct disable``
=================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user svcacct disable
Syntax
------
.. start-mc-admin-svcacct-disable-desc
The :mc-cmd:`mc admin user svcacct disable` command disables an existing access key.
.. end-mc-admin-svcacct-disable-desc
.. tab-set::
.. tab-item:: EXAMPLE
The following command disables the specified access key:
.. code-block:: shell
:class: copyable
mc admin user svcacct disable myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct disable \
ALIAS \
SERVICEACCOUNT
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The service account access key to disable.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

102
source/reference/minio-mc-admin/mc-admin-user-svcacct-edit.rst Normal file
View File

@ -0,0 +1,102 @@
.. _minio-mc-admin-svcacct-edit:
==============================
``mc admin user svcacct edit``
==============================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user svcacct edit
Syntax
------
.. start-mc-admin-svcacct-edit-desc
The :mc-cmd:`mc admin user svcacct edit` command modifies the configuration of an access key associated to the specified user.
.. end-mc-admin-svcacct-edit-desc
.. tab-set::
.. tab-item:: EXAMPLE
The following command applies a new policy and secret key to the ``myuserserviceaccount`` access key on the ``myminio`` deployment:
.. code-block:: shell
:class: copyable
mc admin user svcacct edit \
--secret-key "myuserserviceaccountnewsecretkey" \
--policy "/path/to/new/policy.json" \
myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct edit \
[--secret-key] \
[--policy] \
ALIAS \
SERVICEACCOUNT
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The service account to modify.
.. mc-cmd:: --policy
:optional:
The path to a :ref:`policy document <minio-policy>` to attach to the new access key.
The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies.
The new policy overwrites any previously attached policy.
.. mc-cmd:: --secret-key
:optional:
The secret key to associate with the new access key.
Overwrites the previous secret key.
Applications using the access keys *must* update to use the new credentials to continue performing operations.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

82
source/reference/minio-mc-admin/mc-admin-user-svcacct-enable.rst Normal file
View File

@ -0,0 +1,82 @@
.. _minio-mc-admin-svcacct-enable:
================================
``mc admin user svcacct enable``
================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user svcacct enable
Syntax
------
.. start-mc-admin-svcacct-enable-desc
The :mc-cmd:`mc admin user svcacct enable` command enables an existing access key.
.. end-mc-admin-svcacct-enable-desc
.. tab-set::
.. tab-item:: EXAMPLE
The following command enables the specified access key:
.. code-block:: shell
:class: copyable
mc admin user svcacct enable myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct enable \
ALIAS \
SERVICEACCOUNT
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The service account access key to enable.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

157
source/reference/minio-mc-admin/mc-admin-user-svcacct-info.rst Normal file
View File

@ -0,0 +1,157 @@
.. _minio-mc-admin-svcacct-info:
==============================
``mc admin user svcacct info``
==============================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user svcacct info
Syntax
------
.. start-mc-admin-svcacct-info-desc
The :mc-cmd:`mc admin user svcacct info` command returns a description of the specified access key.
.. end-mc-admin-svcacct-info-desc
The description output includes the following details, as available:
- Access Key
- Parent user of the specified access key
- Access key status (``on`` or ``off``)
- Policy or policies
- Comment
- Expiration
Use :mc-cmd:`~mc admin user svcacct info --policy` to view the attached policies.
.. tab-set::
.. tab-item:: EXAMPLE
The following command returns information on the specified access key:
.. code-block:: shell
:class: copyable
mc admin user svcacct info myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct info \
[--policy] \
ALIAS \
SERVICEACCOUNT
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The service account access key to display.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Examples
--------
Display Service Account Details
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user svcacct info` to display details of a service account on a MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user svcacct info ALIAS SERVICEACCOUNT
- Replace :mc-cmd:`ALIAS <mc admin user add ALIAS>` with the :mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`SERVICEACCOUNT <mc admin user svcacct info SERVICEACCOUNT>` with the service account access key.
The output resembles the following:
.. code-block:: shell
AccessKey: myuserserviceaccount
ParentUser: myuser
Status: on
Comment:
Policy: implied
Expiration: no-expiry
Display Service Account Policy Details
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user svcacct info` to display the policies attached to service account:
.. code-block:: shell
:class: copyable
mc admin user svcacct info --policy ALIAS SERVICEACCOUNT
- Replace :mc-cmd:`ALIAS <mc admin user add ALIAS>` with the :mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`SERVICEACCOUNT <mc admin user svcacct info SERVICEACCOUNT>` with the service account access key.
The output resembles the following:
.. code-block:: shell
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

82
source/reference/minio-mc-admin/mc-admin-user-svcacct-list.rst Normal file
View File

@ -0,0 +1,82 @@
.. _minio-mc-admin-svcacct-list:
==============================
``mc admin user svcacct list``
==============================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user svcacct list
Syntax
------
.. start-mc-admin-svcacct-list-desc
The :mc-cmd:`mc admin user svcacct list` command lists all access keys associated to the specified user.
.. end-mc-admin-svcacct-list-desc
.. tab-set::
.. tab-item:: EXAMPLE
The following command lists all access keys associated to the user with username ``admin1``:
.. code-block:: shell
:class: copyable
mc admin user svcacct list myminio admin1
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct list \
ALIAS \
USER
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of the MinIO deployment.
.. mc-cmd:: USER
:required:
The username of the user to display access keys for.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

84
source/reference/minio-mc-admin/mc-admin-user-svcacct-remove.rst Normal file
View File

@ -0,0 +1,84 @@
.. _minio-mc-admin-svcacct-remove:
================================
``mc admin user svcacct remove``
================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
.. mc:: mc admin user svcacct remove
Syntax
------
.. start-mc-admin-svcacct-remove-desc
The :mc-cmd:`mc admin user svcacct remove` command removes an access key associated to a user on the deployment.
.. end-mc-admin-svcacct-remove-desc
Applications can no longer authenticate using that access key after removal.
.. tab-set::
.. tab-item:: EXAMPLE
The following command removes the specified access key:
.. code-block:: shell
:class: copyable
mc admin user svcacct remove myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct remove \
ALIAS \
SERVICEACCOUNT
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-syntax
:end-before: end-minio-syntax
Parameters
~~~~~~~~~~
.. mc-cmd:: ALIAS
:required:
The :mc-cmd:`alias <mc alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The service account access key to remove.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals
Behavior
--------
S3 Compatibility
~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-s3-compatibility
:end-before: end-minio-mc-s3-compatibility

424
source/reference/minio-mc-admin/mc-admin-user-svcacct.rst
View File

@ -17,23 +17,17 @@ Description
.. start-mc-admin-user-svcacct-desc .. start-mc-admin-user-svcacct-desc
The :mc:`mc admin user svcacct` command creates and manages :ref:`Access Keys <minio-idp-service-account>` on a MinIO deployment. The :mc:`mc admin user svcacct` command and its subcommands create and manage :ref:`Access Keys <minio-idp-service-account>` on a MinIO deployment.
.. end-mc-admin-user-svcacct-desc .. end-mc-admin-user-svcacct-desc
Each access keys is linked to a :ref:`user identity <minio-authentication-and-identity-management>` and inherits the :ref:`policies <minio-policy>` attached to it's parent user *or* those groups in which the parent user has membership. Each access key also supports an optional inline policy which further restricts access to a subset of actions and resources available to the parent user. Each access key is linked to a :ref:`user identity <minio-authentication-and-identity-management>` and inherits the :ref:`policies <minio-policy>` attached to it's parent user *or* those groups in which the parent user has membership.
Each access key also supports an optional inline policy which further restricts access to a subset of actions and resources available to the parent user.
:mc:`mc admin user svcacct` only supports creating access keys for :ref:`MinIO-managed <minio-users>` and :ref:`Active Directory/LDAP-managed <minio-external-identity-management-ad-ldap>` accounts. :mc:`mc admin user svcacct` only supports creating access keys for :ref:`MinIO-managed <minio-users>` and :ref:`Active Directory/LDAP-managed <minio-external-identity-management-ad-ldap>` accounts.
To create access keys for :ref:`OpenID Connect-managed users <minio-external-identity-management-openid>`, log into the :ref:`MinIO Console <minio-console>` and generate the access keys through the UI. To create access keys for :ref:`OpenID Connect-managed users <minio-external-identity-management-openid>`, log into the :ref:`MinIO Console <minio-console>` and generate the access keys through the UI.
.. admonition:: Use ``mc admin`` on MinIO Deployments Only
:class: note
.. include:: /includes/facts-mc-admin.rst
:start-after: start-minio-only
:end-before: end-minio-only
The :mc:`mc admin user svcacct` command has the following subcommands: The :mc:`mc admin user svcacct` command has the following subcommands:
.. list-table:: .. list-table::
@ -43,369 +37,51 @@ The :mc:`mc admin user svcacct` command has the following subcommands:
* - Subcommand * - Subcommand
- Description - Description
* - :mc-cmd:`mc admin user svcacct add` * - :mc:`~mc admin user svcacct add`
- Adds a new access keys to an existing MinIO or AD/LDAP user - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-add.rst
:start-after: start-mc-admin-svcacct-add-desc
:end-before: end-mc-admin-svcacct-add-desc
* - :mc:`~mc admin user svcacct disable`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-disable.rst
:start-after: start-mc-admin-svcacct-disable-desc
:end-before: end-mc-admin-svcacct-disable-desc
* - :mc:`~mc admin user svcacct edit`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-edit.rst
:start-after: start-mc-admin-svcacct-edit-desc
:end-before: end-mc-admin-svcacct-edit-desc
* - :mc:`~mc admin user svcacct enable`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-enable.rst
:start-after: start-mc-admin-svcacct-enable-desc
:end-before: end-mc-admin-svcacct-enable-desc
* - :mc:`~mc admin user svcacct info`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-info.rst
:start-after: start-mc-admin-svcacct-info-desc
:end-before: end-mc-admin-svcacct-info-desc
* - :mc:`~mc admin user svcacct list`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-list.rst
:start-after: start-mc-admin-svcacct-list-desc
:end-before: end-mc-admin-svcacct-list-desc
* - :mc:`~mc admin user svcacct remove`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-remove.rst
:start-after: start-mc-admin-svcacct-remove-desc
:end-before: end-mc-admin-svcacct-remove-desc
.. toctree::
:titlesonly:
:hidden:
/reference/minio-mc-admin/mc-admin-user-svcacct-add
/reference/minio-mc-admin/mc-admin-user-svcacct-disable
/reference/minio-mc-admin/mc-admin-user-svcacct-edit
/reference/minio-mc-admin/mc-admin-user-svcacct-enable
/reference/minio-mc-admin/mc-admin-user-svcacct-info
/reference/minio-mc-admin/mc-admin-user-svcacct-list
/reference/minio-mc-admin/mc-admin-user-svcacct-remove
* - :mc-cmd:`mc admin user svcacct list`
- Lists the existing access keys associated to a MinIO or AD/LDAP user.
* - :mc-cmd:`mc admin user svcacct remove`
- Removes a access keys from a MinIO or AD/LDAP user.
* - :mc-cmd:`mc admin user svcacct info`
- Returns detailed information on a access keys.
* - :mc-cmd:`mc admin user svcacct edit`
- Modifies the secret key or inline policy associated with a access keys.
* - :mc-cmd:`mc admin user svcacct enable`
- Enables a access keys.
* - :mc-cmd:`mc admin user svcacct disable`
- Disables a access keys.
Syntax
------
.. mc-cmd:: add
:fullpath:
Adds a new access keys associated to the specified user.
.. tab-set::
.. tab-item:: EXAMPLE
The following command creates a new access keys associated to an existing MinIO user:
.. code-block:: shell
:class: copyable
mc admin user svcacct add \
--access-key "myuserserviceaccount" \
--secret-key "myuserserviceaccountpassword" \
--policy "/path/to/policy.json" \
myminio myuser
The command returns the access key and secret key for the new account.
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct add \
[--access-key] \
[--secret-key] \
[--policy] \
[--comment] \
ALIAS \
USER
.. mc-cmd:: ALIAS
:required:
The :ref:`alias <alias>` of the MinIO deployment.
.. mc-cmd:: USER
:required:
The name of the user to which MinIO adds the new access keys.
- For :ref:`MinIO-managed users <minio-users>`, specify the access key for the user.
- For :ref:`Active Directory/LDAP users <minio-external-identity-management-ad-ldap>`, specify the Distinguished Name of the user.
- For :ref:`OpenID Connect users <minio-external-identity-management-openid>`, use the :ref:`MinIO Console <minio-console>` to generate access keys.
.. mc-cmd:: --access-key
:optional:
The access key to associate with the new access keys. Omit to direct MinIO to autogenerate the access key for the new access keys.
Access Key names *must* be unique across all users.
.. mc-cmd:: --secret-key
:optional:
The secret key to associate with the new access keys. Omit to direct MinIO to autogenerate the secret key for the new access keys.
.. mc-cmd:: --policy
:optional:
The path to a :ref:`policy document <minio-policy>` to attach to the new access keys. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies.
.. mc-cmd:: --comment
:optional:
.. versionadded:: RELEASE.2023-01-28T20-29-38Z
Add a note to the service account.
For example, you might specify the reason the service account exists.
.. mc-cmd:: list
:fullpath:
:alias: ls
Lists all access keys associated to the specified user.
.. tab-set::
.. tab-item:: EXAMPLE
The following command lists all access keys associated to an existing MinIO user:
.. code-block:: shell
:class: copyable
mc admin user svcacct list myminio myuser
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct list \
ALIAS \
USER
.. mc-cmd:: ALIAS
:required:
The :ref:`alias <alias>` of the MinIO deployment.
.. mc-cmd:: USER
:required:
The name of the user to which MinIO adds the new access keys.
- For :ref:`MinIO-managed users <minio-users>`, specify the access key for the user.
- For :ref:`Active Directory/LDAP users <minio-external-identity-management-ad-ldap>`, specify the Distinguished Name of the user.
- For :ref:`OpenID Connect users <minio-external-identity-management-openid>`, use the :ref:`MinIO Console <minio-console>` to list access keys.
.. mc-cmd:: remove
:fullpath:
:alias: rm
Removes a access keys associated to the specified user. Applications can no longer authenticate using that access keys after removal.
.. tab-set::
.. tab-item:: EXAMPLE
The following command removes the specified access keys:
.. code-block:: shell
:class: copyable
mc admin user svcacct remove myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct remove \
ALIAS \
SERVICEACCOUNT
.. mc-cmd:: ALIAS
:required:
The :ref:`alias <alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The access key for the access keys to remove.
.. mc-cmd:: info
:fullpath:
Returns a description of the specified access key.
The description output includes the following details, as available:
- Access Key
- Parent user of the specified access key
- Access key status (``on`` or ``off``)
- Policy or policies
- Comment
- Expiration
.. tab-set::
.. tab-item:: EXAMPLE
The following command returns detailed information on the specified access keys:
.. code-block:: shell
:class: copyable
mc admin user svcacct info --policy myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct info \
[--policy] \
ALIAS \
SERVICEACCOUNT
.. mc-cmd:: ALIAS
:required:
The :ref:`alias <alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The access key for the access keys to remove.
.. mc-cmd:: --policy
:optional:
Returns the policy attached to the access keys in JSON format. The output is ``null`` if the access keys has no attached policy.
.. mc-cmd:: edit
:fullpath:
:alias: set
Modifies the configuration of a access keys associated to the specified user.
.. tab-set::
.. tab-item:: EXAMPLE
The following command modifies the specified access keys:
.. code-block:: shell
:class: copyable
mc admin user svcacct edit \
--secret-key "myuserserviceaccountnewsecretkey" \
--policy "/path/to/new/policy.json" \
myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct edit \
[--secret-key] \
[--policy] \
ALIAS \
SERVICEACCOUNT
.. mc-cmd:: ALIAS
:required:
The :ref:`alias <alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The access key for the access keys to modify.
.. mc-cmd:: --secret-key
:optional:
The secret key to associate with the new access keys. Overwrites the previous secret key. Applications using the access keys *must* update to use the new credentials to continue performing operations.
.. mc-cmd:: --policy
:optional:
The path to a :ref:`policy document <minio-policy>` to attach to the new access keys. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies.
The new policy overwrites any previously attached policy.
.. mc-cmd:: enable
:fullpath:
Enables a access keys for the specified user. Applications can only authenticate using enabled access keys.
.. tab-set::
.. tab-item:: EXAMPLE
The following command enables the specified access keys:
.. code-block:: shell
:class: copyable
mc admin user svcacct enable myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct enable \
ALIAS \
SERVICEACCOUNT
.. mc-cmd:: ALIAS
:required:
The :ref:`alias <alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The access key for the access keys to enable.
.. mc-cmd:: disable
:fullpath:
Disables a access keys for the specified user. Applications can only authenticate using enabled access keys.
.. tab-set::
.. tab-item:: EXAMPLE
The following command disables the specified access keys:
.. code-block:: shell
:class: copyable
mc admin user svcacct disable myminio myuserserviceaccount
.. tab-item:: SYNTAX
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc [GLOBALFLAGS] admin user svcacct disable \
ALIAS \
SERVICEACCOUNT
.. mc-cmd:: ALIAS
:required:
The :ref:`alias <alias>` of the MinIO deployment.
.. mc-cmd:: SERVICEACCOUNT
:required:
The access key for the access keys to disable.
Global Flags
~~~~~~~~~~~~
.. include:: /includes/common-minio-mc.rst
:start-after: start-minio-mc-globals
:end-before: end-minio-mc-globals

380
source/reference/minio-mc-admin/mc-admin-user.rst
View File

@ -15,13 +15,18 @@ Description
.. start-mc-admin-user-desc .. start-mc-admin-user-desc
The :mc:`mc admin user` command manages users on a MinIO deployment. Clients The :mc:`mc admin user` command and its subcommands manage :ref:`MinIO users <minio-internal-idp>`.
*must* authenticate to the MinIO deployment with the access key and secret key
associated to a user on the deployment. MinIO users constitute a key component in
MinIO Identity and Access Management.
.. end-mc-admin-user-desc .. end-mc-admin-user-desc
Clients *must* authenticate to the MinIO deployment with the access key and secret key associated to a user on the deployment.
MinIO users constitute a key component in MinIO Identity and Access Management.
To manage users who authenticate using a 3rd party IDP, use the :mc:`mc admin` commands for the appropriate provider:
- For AD/LDAP, use :mc:`mc admin idp ldap`
- For OpenID Connect (OIDC) compatible providers, use :mc:`mc admin idp openid`
.. admonition:: Use ``mc admin`` on MinIO Deployments Only .. admonition:: Use ``mc admin`` on MinIO Deployments Only
:class: note :class: note
@ -29,307 +34,70 @@ MinIO Identity and Access Management.
:start-after: start-minio-only :start-after: start-minio-only
:end-before: end-minio-only :end-before: end-minio-only
Users and Policy-Based Access Control
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO uses Policy-Based Access Control (PBAC) to support *authorization* of
users who have successfully *authenticated* to the deployment. Each policy
includes rules that dictate the allowed or denied actions/resources on the
deployment. You can assign one or more :ref:`policies
<minio-policy>` to a User. Users *also* inherit the policies
of any groups of which they are members. A user's total set of permissions
includes their explicitly assigned policies *and* any policies inherited via
group membership.
Newly created users have *no* policies by default and therefore cannot perform Subcommands
any operations on the MinIO deployment. To configure a user's assigned policies, -----------
you can do either or both of the following:
:mc:`mc admin user` includes the following subcommands:
- Use :mc-cmd:`mc admin policy attach` to associate one or more policies to the user.
.. list-table::
- Use :mc-cmd:`mc admin group add` to associate the user to the group. Users :header-rows: 1
inherit any policies assigned to the group. :widths: 30 70
:width: 100%
Each user's total set of permissions consists of their explicitly assigned
permission *and* the inherited permissions from each of their assigned groups. * - Subcommand
- Description
For more information on MinIO users and groups, see
:ref:`minio-users` and :ref:`minio-groups`. For * - :mc:`~mc admin user add`
more information on MinIO policies, see :ref:`MinIO Policy Based Access Control <minio-policy>`. - .. include:: /reference/minio-mc-admin/mc-admin-user-add.rst
:start-after: start-mc-admin-user-add-desc
.. admonition:: ``Deny`` overrides ``Allow`` :end-before: end-mc-admin-user-add-desc
:class: note
* - :mc:`~mc admin user disable`
MinIO follows the IAM standard where a ``Deny`` rule overrides ``Allow`` rule - .. include:: /reference/minio-mc-admin/mc-admin-user-disable.rst
on the same action or resource. For example, if a user has an explicitly :start-after: start-mc-admin-user-disable-desc
assigned policy with an ``Allow`` rule for an action/resource while one of :end-before: end-mc-admin-user-disable-desc
its groups has an assigned policy with a ``Deny`` rule for that
action/resource, MinIO would apply only the ``Deny`` rule. * - :mc:`~mc admin user enable`
- .. include:: /reference/minio-mc-admin/mc-admin-user-enable.rst
For more information on IAM policy evaluation logic, see the IAM :start-after: start-mc-admin-user-enable-desc
documentation on :end-before: end-mc-admin-user-enable-desc
:iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account
<reference_policies_evaluation-logic.html#policy-eval-denyallow>`. * - :mc:`~mc admin user info`
- .. include:: /reference/minio-mc-admin/mc-admin-user-info.rst
Examples :start-after: start-mc-admin-user-info-desc
-------- :end-before: end-mc-admin-user-info-desc
Create a New User * - :mc:`~mc admin user list`
~~~~~~~~~~~~~~~~~ - .. include:: /reference/minio-mc-admin/mc-admin-user-list.rst
:start-after: start-mc-admin-user-list-desc
Use :mc-cmd:`mc admin user add` to create a user on an S3-compatible host: :end-before: end-mc-admin-user-list-desc
.. code-block:: shell * - :mc:`~mc admin user remove`
:class: copyable - .. include:: /reference/minio-mc-admin/mc-admin-user-remove.rst
:start-after: start-mc-admin-user-remove-desc
mc admin user add ALIAS ACCESSKEY SECRETKEY :end-before: end-mc-admin-user-remove-desc
- Replace :mc-cmd:`ALIAS <mc admin user add TARGET>` with the * - :mc-cmd:`sts info <mc admin user sts info>`
:mc-cmd:`alias <mc alias>` of the S3-compatible host. - .. include:: /reference/minio-mc-admin/mc-admin-user-sts-info.rst
:start-after: start-mc-admin-sts-info-desc
- Replace :mc-cmd:`ACCESSKEY <mc admin user add ACCESSKEY>` with the :end-before: end-mc-admin-sts-info-desc
access key for the user. MinIO allows retrieving the access key after
user creation through the :mc-cmd:`mc admin user info` command. * - :mc:`~mc admin user svcacct`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct.rst
- Replace :mc-cmd:`SECRETKEY <mc admin user add SECRETKEY>` with the :start-after: start-mc-admin-user-svcacct-desc
secret key for the user. MinIO *does not* provide any method for retrieving :end-before: end-mc-admin-user-svcacct-desc
the secret key once set.
.. toctree::
Specify a unique, random, and long string for both the ``ACCESSKEY`` and :titlesonly:
``SECRETKEY``. Your organization may have specific internal or regulatory :hidden:
requirements around generating values for use with access or secret keys.
/reference/minio-mc-admin/mc-admin-user-add
List Available Users /reference/minio-mc-admin/mc-admin-user-disable
~~~~~~~~~~~~~~~~~~~~ /reference/minio-mc-admin/mc-admin-user-enable
/reference/minio-mc-admin/mc-admin-user-info
Use :mc-cmd:`mc admin user list` to list all users on an S3-compatible host: /reference/minio-mc-admin/mc-admin-user-list
/reference/minio-mc-admin/mc-admin-user-remove
.. code-block:: shell /reference/minio-mc-admin/mc-admin-user-sts-info
:class: copyable /reference/minio-mc-admin/mc-admin-user-svcacct
mc admin user list ALIAS
- Replace :mc-cmd:`ALIAS <mc admin user list TARGET>` with the
:mc-cmd:`alias <mc alias>` of the S3-compatible host.
:mc-cmd:`mc admin user list` does *not* return the access key or secret key
associated to a user. Use :mc-cmd:`mc admin user info` to retrieve detailed
user information, including the user access key.
View User Details
~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user info` to view detailed user information on an
S3-compatible host:
.. code-block:: shell
:class: copyable
mc admin user info ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user info TARGET>` with the
:mc-cmd:`alias <mc alias>` of the S3-compatible host.
- Replace :mc-cmd:`USERNAME <mc admin user info USERNAME>` with the name of
the user.
Remove a User
~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user remove` to remove a user from an S3-compatible host:
.. code-block:: shell
:class: copyable
mc admin user remove ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user remove TARGET>` with the
:mc-cmd:`alias <mc alias>` of the S3-compatible host.
- Replace :mc-cmd:`USERNAME <mc admin user remove USERNAME>` with the name of
the user to remove.
Disable a User
~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user disable` to disable a user on an S3-compatible host.
Disabling a user prevents clients from authenticating to the S3 host with that
user's credentials, but does *not* remove that user from the S3 host.
Use :mc-cmd:`mc admin user enable` to enable a disabled user on an S3-compatible
host.
.. code-block:: shell
:class: copyable
mc admin user disable ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user disable TARGET>` with the
:mc-cmd:`alias <mc alias>` of the S3-compatible host.
- Replace :mc-cmd:`USERNAME <mc admin user disable USERNAME>` with the name of
the user to disable.
Enable a User
~~~~~~~~~~~~~
Use :mc-cmd:`mc admin user enable` to enable a user on an S3-compatible
host.
.. code-block:: shell
:class: copyable
mc admin user enable ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user enable TARGET>` with the
:mc-cmd:`alias <mc alias>` of the S3-compatible host.
- Replace :mc-cmd:`USERNAME <mc admin user enable USERNAME>` with the name of
the user to enable.
Syntax
------
.. mc-cmd:: add
:fullpath:
Adds new user to the target MinIO deployment. The command has the following
syntax:
.. code-block:: shell
:class: copyable
mc admin user add TARGET ACCESSKEY SECRETKEY
The command accepts the following arguments:
.. mc-cmd:: TARGET
The :mc-cmd:`alias <mc alias>` of a configured MinIO deployment on which
the command creates the new user.
.. mc-cmd:: ACCESSKEY
The access key that uniquely identifies the new user, similar to a
username.
.. mc-cmd:: SECRETKEY
The secret key for the new user. Consider the following guidance
when creating a secret key:
- The key should be *unique*
- The key should be *long* (Greater than 12 characters)
- The key should be *complex* (A mixture of characters, numerals, and symbols)
.. mc-cmd:: list
:fullpath:
Lists all users on the target MinIO deployment. The command has the
following syntax:
.. code-block:: shell
:class: copyable
mc admin user list TARGET
The command accepts the following argument:
.. mc-cmd:: TARGET
The :mc-cmd:`alias <mc alias>` of a configured MinIO deployment from which
the command lists users.
.. mc-cmd:: info
:fullpath:
Returns detailed information of a user on the target MinIO deployment. The
command has the following syntax:
.. code-block:: shell
:class: copyable
mc admin user info TARGET USERNAME
The command accepts the following arguments:
.. mc-cmd:: TARGET
The :mc-cmd:`alias <mc alias>` of a configured MinIO deployment from
which the command retrieves the specified user information.
.. mc-cmd:: USERNAME
The name of the user whose information the command retrieves.
.. mc-cmd:: remove
Removes a user from the target MinIO deployment. The command has the
following syntax:
.. code-block:: shell
:class: copyable
mc admin user remove TARGET USERNAME
The command supports the following arguments:
.. mc-cmd:: TARGET
The :mc:`alias <mc alias>` of a configured MinIO deployment on which
the command removes the specified user.
.. mc-cmd:: USERNAME
The name of the user which the command removes.
.. mc-cmd:: disable
:fullpath:
Disables a user on the target MinIO deployment. Clients cannot use the
user credentials to authenticate to the MinIO deployment. Disabling
a user does *not* remove that user from the deployment.
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc admin user disable TARGET USERNAME
The command supports the following arguments:
.. mc-cmd:: TARGET
The :mc:`alias <mc alias>` of a configured MinIO deployment on which
the command disables the specified user.
.. mc-cmd:: USERNAME
The name of the user to disable.
.. mc-cmd:: enable
:fullpath:
Enables a user on the target deployment. Clients can only use enabled
users to authenticate to the MinIO deployment. Users created using
:mc-cmd:`mc admin user add` are enabled by default.
The command has the following syntax:
.. code-block:: shell
:class: copyable
mc admin user enable TARGET USERNAME
The command supports the following arguments:
.. mc-cmd:: TARGET
The :mc:`alias <mc alias>` of a configured MinIO deployment on which
the command enables the specified user.
.. mc-cmd:: USERNAME
The name of the user to enable.