diff --git a/source/security/minio-identity-management/policy-based-access-control.rst b/source/security/minio-identity-management/policy-based-access-control.rst index 1d8d01e6..8b411b61 100644 --- a/source/security/minio-identity-management/policy-based-access-control.rst +++ b/source/security/minio-identity-management/policy-based-access-control.rst @@ -8,7 +8,7 @@ Policy Management .. contents:: Table of Contents :local: - :depth: 2 + :depth: 1 Overview -------- @@ -141,8 +141,8 @@ policy elements, see the :aws-docs:`IAM JSON Policy Elements Reference } - For the ``Statement.Action`` array, specify one or more - :ref:`supported S3 actions `. MinIO deployments - supports a subset of AWS S3 actions. + :ref:`supported S3 API operations `. MinIO deployments + supports a subset of AWS S3 API operations. - For the ``Statement.Resource`` key, you can replace the ``*`` with the specific bucket to which the policy statement should apply. @@ -160,80 +160,213 @@ Supported S3 Policy Actions MinIO policy documents support a subset of IAM :iam-docs:`S3 Action keys `. -The following table lists the MinIO-supported policy action keys. +The following actions control access to common S3 operations. The remaining +subsections document actions for more advanced S3 operations: .. policy-action:: s3:* - Selector for all supported S3 actions. - -.. policy-action:: s3:AbortMultipartUpload - - Corresponds to the :s3-api:`s3:AbortMultipartUpload - ` IAM action. + Selector for *all* MinIO S3 operations. Applying this action to a given + resource allows the user to perform *any* S3 operation against that + resource. .. policy-action:: s3:CreateBucket - Corresponds to the :s3-api:`s3:CreateBucket ` IAM - action. + Controls access to the :s3-api:`CreateBucket ` S3 API + operation. .. policy-action:: s3:DeleteBucket - Corresponds to the :s3-api:`s3:DeleteBucket ` IAM - action. + Controls access to the :s3-api:`DeleteBucket ` S3 API + operation. .. policy-action:: s3:ForceDeleteBucket - Corresponds to the :s3-api:`s3:DeleteBucket ` - IAM action for operations with the ``x-minio-force-delete`` flag. - -.. policy-action:: s3:DeleteBucketPolicy - - Corresponds to the :s3-api:`s3:DeleteBucketPolicy - ` IAM action. - -.. policy-action:: s3:DeleteObject - - Corresponds to the :s3-api:`s3:DeleteObject ` IAM - action. + Controls access to the :s3-api:`DeleteBucket ` + S3 API operation for operations with the ``x-minio-force-delete`` flag. + Required for removing non-empty buckets. .. policy-action:: s3:GetBucketLocation - Corresponds to the :s3-api:`s3:GetBucketLocation - ` IAM action. - -.. policy-action:: s3:GetBucketNotification - - Corresponds to the :s3-api:`s3:GetBucketNotification - ` IAM action. - -.. policy-action:: s3:GetBucketPolicy - - Corresponds to the :s3-api:`s3:GetBucketPolicy ` - IAM action. - -.. policy-action:: s3:GetObject - - Corresponds to the :s3-api:`s3:GetObject ` IAM action. - -.. policy-action:: s3:HeadBucket - - Corresponds to the :s3-api:`s3:HeadBucket ` IAM action. - - *This action is unused in MinIO.* + Controls access to the :s3-api:`GetBucketLocation + ` S3 API operation. .. policy-action:: s3:ListAllMyBuckets - Corresponds to the :s3-api:`s3:ListAllMyBuckets ` - IAM action. + Controls access to the :s3-api:`ListBuckets ` + S3 API operation. + +.. policy-action:: s3:DeleteObject + + Controls access to the :s3-api:`DeleteObject ` S3 API + operation. + +.. policy-action:: s3:GetObject + + Controls access to the :s3-api:`GetObject ` S3 API + operation. .. policy-action:: s3:ListBucket - Corresponds to the :s3-api:`s3:ListBucket ` IAM action. + Controls access to the :s3-api:`ListObjectsV2 ` S3 API + operation. -.. policy-action:: s3:ListMultipartUploads +.. policy-action:: s3:PutObject - Corresponds to the :s3-api:`s3:ListMultipartUploads - ` IAM action. + Controls access to the :s3-api:`PutObject ` S3 API + operation. + +.. policy-action:: s3:PutObjectTagging + + Controls access to the :s3-api:`PutObjectTagging ` + S3 API operation. + +.. policy-action:: s3:GetObjectTagging + + Controls access to the :s3-api:`GetObjectTagging ` + S3 API operation. + +Bucket Configuration +~~~~~~~~~~~~~~~~~~~~ + +.. policy-action:: s3:GetBucketPolicy + + Controls access to the :s3-api:`GetBucketPolicy ` + S3 API operation. + +.. policy-action:: s3:PutBucketPolicy + + Controls access to the :s3-api:`PutBucketPolicy ` + S3 API operation. + +.. policy-action:: s3:DeleteBucketPolicy + + Controls access to the :s3-api:`DeleteBucketPolicy + ` S3 API operation. + +.. policy-action:: s3:GetBucketTagging + + Controls access to the :s3-api:`GetBucketTagging ` + S3 API operation. + +.. policy-action:: s3:PutBucketTagging + + Controls access to the :s3-api:`PutBucketTagging ` + S3 API operation. + +Multipart Upload +~~~~~~~~~~~~~~~~ + +.. policy-action:: s3:AbortMultipartUpload + + Controls access to the :s3-api:`AbortMultipartUpload + ` S3 API operation. + +.. policy-action:: s3:ListMultipartUploadParts + + Controls access to the :s3-api:`ListParts ` S3 API + operation. + +.. policy-action:: s3:ListBucketMultipartUploads + + Controls access to the :s3-api:`ListMultipartUploads + ` S3 API operation. + +Versioning and Retention +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. policy-action:: s3:PutBucketVersioning + + Controls access to the :s3-api:`PutBucketVersioning + ` S3 API operation. + +.. policy-action:: s3:GetBucketVersioning + + Controls access to the :s3-api:`GetBucketVersioning + ` S3 API operation. + +.. policy-action:: s3:DeleteObjectVersion + + Controls access to the :s3-api:`DeleteObjectVersion + ` S3 API operation. + +.. policy-action:: s3:DeleteObjectVersionTagging + + Controls access to the :s3-api:`DeleteObjectVersionTagging + ` S3 API operation. + +.. policy-action:: s3:GetObjectVersion + + Controls access to the :s3-api:`GetObjectVersion + ` S3 API operation. + +.. policy-action:: s3:BypassGovernanceRetention + + Controls access to the following S3 API operations on objects + locked under :mc-cmd:`GOVERNANCE ` + retention mode: + + - ``PutObjectRetention`` + - ``PutObject`` + - ``DeleteObject`` + + See the S3 documentation on :s3-docs:`s3:BypassGovernanceRetention + ` for more + information. + +.. policy-action:: s3:PutObjectRetention + + Controls access to the :s3-api:`PutObjectRetention + ` S3 API operation. + + Required for any ``PutObject`` operation that specifies + :ref:`retention metadata `. + +.. policy-action:: s3:GetObjectRetention + + Controls access to the :s3-api:`GetObjectRetention + ` S3 API operation. + + Required for including :ref:`object locking metadata ` + as part of the response to a ``GetObject`` or ``HeadObject`` operation. + +.. policy-action:: s3:GetObjectLegalHold + + Controls access to the :s3-api:`GetObjectLegalHold + ` S3 API operation. + + Required for including :ref:`object locking metadata ` + as part of the response to a ``GetObject`` or ``HeadObject`` operation. + +.. policy-action:: s3:PutObjectLegalHold + + Controls access to the :s3-api:`PutObjectLegalHold + ` S3 API operation. + + Required for any ``PutObject`` operation that specifies + :ref:`legal hold metadata `. + +.. policy-action:: s3:GetBucketObjectLockConfiguration + + Controls access to the :s3-api:`GetObjectLockConfiguration + ` S3 API operation. + +.. policy-action:: s3:PutBucketObjectLockConfiguration + + Controls access to the :s3-api:`PutObjectLockConfiguration + ` S3 API operation. + +Bucket Notifications +~~~~~~~~~~~~~~~~~~~~ + +.. policy-action:: s3:GetBucketNotification + + Controls access to the :s3-api:`GetBucketNotification + ` S3 API operation. + +.. policy-action:: s3:PutBucketNotification + + Controls access to the :s3-api:`PutBucketNotification + ` S3 API operation. .. policy-action:: s3:ListenNotification @@ -249,194 +382,158 @@ The following table lists the MinIO-supported policy action keys. This action is **not** intended for use with other S3-compatible services. -.. policy-action:: s3:ListParts - - Corresponds to the :s3-api:`s3:ListParts ` IAM action. +Object Lifecycle Management +~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:PutLifecycleConfiguration - Corresponds to the :s3-api:`s3:PutLifecycleConfiguration - ` IAM action. + Controls access to the :s3-api:`PutLifecycleConfiguration + ` S3 API operation. .. policy-action:: s3:GetLifecycleConfiguration - Corresponds to the :s3-api:`s3:GetLifecycleConfiguration - ` IAM action. + Controls access to the :s3-api:`GetLifecycleConfiguration + ` S3 API operation. -.. policy-action:: s3:PutObjectNotification - - Corresponds to the :s3-api:`s3:PutObjectNotification - ` IAM action. - -.. policy-action:: s3:PutBucketPolicy - - Corresponds to the :s3-api:`s3:PutBucketPolicy ` - IAM action. - -.. policy-action:: s3:PutObject - - Corresponds to the :s3-api:`s3:PutObject ` IAM action. - -.. policy-action:: s3:DeleteObjectVersion - - Corresponds to the :s3-api:`s3:DeleteObjectVersion - ` IAM action. - -.. policy-action:: s3:DeleteObjectVersionTagging - - Corresponds to the :s3-api:`s3:DeleteObjectVersionTagging - ` IAM action. - -.. policy-action:: s3:GetObjectVersion - - Corresponds to the :s3-api:`s3:GetObjectVersion - ` IAM action. - -.. policy-action:: s3:GetObjectVersionTagging - - Corresponds to the :s3-api:`s3:GetObjectVersionTagging - ` IAM action. - -.. policy-action:: s3:PutObjectVersionTagging - - Corresponds to the :s3-api:`s3:PutObjectVersionTagging - ` IAM action. - -.. policy-action:: s3:BypassGovernanceRetention - - Corresponds to the :s3-docs:`s3:BypassGovernanceRetention - ` IAM action. - - This action applies to the following API operations on objects locked under - :mc-cmd:`GOVERNANCE ` retention mode: - - - ``PutObjectRetention`` - - ``PutObject`` - - ``DeleteObject`` - -.. policy-action:: s3:PutObjectRetention - - Corresponds to the :s3-api:`s3:PutObjectRetention - ` IAM action. - -.. policy-action:: s3:GetObjectRetention - - Corresponds to the :s3-api:`s3:GetObjectRetention - ` IAM action. - - This action applies to the following API operations on objects locked under - any retention mode: - - - ``GetObject`` - - ``HeadObject`` - -.. policy-action:: s3:GetObjectLegalHold - - Corresponds to the :s3-api:`s3:GetObjectLegalHold - ` IAM action. - - This action applies to the following API operations on objects locked under - legal hold: - - - ``GetObject`` - -.. policy-action:: s3:PutObjectLegalHold - - Corresponds to the :s3-api:`s3:PutObjectLegalHold - ` IAM action. - - This action applies to the following API operations on objects locked - under legal hold: - - - ``PutObject`` - -.. policy-action:: s3:GetBucketObjectLockConfiguration - - Corresponds to the :s3-api:`s3:GetBucketObjectLockConfiguration - ` IAM action. - -.. policy-action:: s3:PutBucketObjectLockConfiguration - - Corresponds to the :s3-api:`s3:PutBucketObjectLockConfiguration - ` IAM action. - -.. policy-action:: s3:GetBucketTagging - - Corresponds to the :s3-api:`s3:GetBucketTagging ` - IAM action. - -.. policy-action:: s3:PutBucketTagging - - Corresponds to the :s3-api:`s3:PutBucketTagging ` - IAM action. - -.. policy-action:: s3:Get - - Corresponds to the :s3-api:`s3:Get ` IAM action. - -.. policy-action:: s3:Put - - Corresponds to the :s3-api:`s3:Put ` IAM action. - -.. policy-action:: s3:Delete - - Corresponds to the :s3-api:`s3:Delete ` IAM action. +Object Encryption +~~~~~~~~~~~~~~~~~ .. policy-action:: s3:PutEncryptionConfiguration - Corresponds to the :s3-api:`s3:PutEncryptionConfiguration - ` IAM action. + Controls access to the :s3-api:`PutEncryptionConfiguration + ` S3 API operation. .. policy-action:: s3:GetEncryptionConfiguration - Corresponds to the :s3-api:`s3:GetEncryptionConfiguration - ` IAM action. + Controls access to the :s3-api:`GetEncryptionConfiguration + ` S3 API operation. -.. policy-action:: s3:PutBucketVersioning - - Corresponds to the :s3-api:`s3:PutBucketVersioning - ` IAM action. - -.. policy-action:: s3:GetBucketVersioning - - Corresponds to the :s3-api:`s3:GetBucketVersioning - ` IAM action. +Bucket Replication +~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:GetReplicationConfiguration - Corresponds to the :s3-api:`s3:GetReplicationConfiguration - ` IAM action. + Controls access to the :s3-api:`GetBucketReplication + ` S3 API operation. .. policy-action:: s3:PutReplicationConfiguration - Corresponds to the :s3-api:`s3:PutReplicationConfiguration - ` IAM action. + Controls access to the :s3-api:`PutBucketReplication + ` S3 API operation. .. policy-action:: s3:ReplicateObject - - Corresponds to the :s3-api:`s3:ReplicateObject ` - IAM action. + + MinIO Extension for controlling API operations related to + :ref:`Server-Side Bucket Replication `. + + Required for server-side replication. .. policy-action:: s3:ReplicateDelete - - Corresponds to the :s3-api:`s3:ReplicateDelete ` - IAM action. + MinIO Extension for controlling API operations related to + :ref:`Server-Side Bucket Replication `. + + Required for synchronizing delete operations as part of server-side + replication. + .. policy-action:: s3:ReplicateTags - - Corresponds to the :s3-api:`s3:ReplicateTags ` IAM - action. + MinIO Extension for controlling API operations related to + :ref:`Server-Side Bucket Replication `. + + Required for server-side replication. + .. policy-action:: s3:GetObjectVersionForReplication - - Corresponds to the :s3-api:`s3:GetObjectVersionForReplication - ` IAM action. + MinIO Extension for controlling API operations related to + :ref:`Server-Side Bucket Replication `. + + Required for server-side replication. + +.. _minio-policy-conditions: + +Supported S3 Policy Condition Keys +---------------------------------- + +MinIO policy documents support IAM +:iam-docs:`conditional statements `. + +Each condition element consists of +:iam-docs:`operators ` +and condition keys. MinIO supports a subset of IAM condition keys. For complete +information on any listed condition key, see the +:iam-docs:`IAM Condition Element Documentation +` + +MinIO supports the following condition keys for all supported +:ref:`actions `: + +- ``aws:Referer`` +- ``aws:SourceIp`` +- ``aws:UserAgent`` +- ``aws:SecureTransport`` +- ``aws:CurrentTime`` +- ``aws:EpochTime`` +- ``aws:PrincipalType`` +- ``aws:userid`` +- ``aws:username`` +- ``x-amz-content-sha256`` + +The following table lists additional supported condition keys for specific +actions: + +.. list-table:: + :header-rows: 1 + :widths: 30 70 + :width: 100% + + * - Action Key + - Condition Keys + + * - :policy-action:`s3:GetObject` + - | ``x-amz-server-side-encryption`` + | ``x-amz-server-side-encryption-customer-algorithm`` + + * - :policy-action:`s3:ListBucket` + - | ``prefix`` + | ``delimiter`` + | ``max-keys`` + + * - :policy-action:`s3:PutObject` + - | ``x-amz-copy-source`` + | ``x-amz-server-side-encryption`` + | ``x-amz-server-side-encryption-customer-algorithm`` + | ``x-amz-metadata-directive`` + | ``x-amz-storage-class`` + | ``object-lock-retain-until-date`` + | ``object-lock-mode`` + | ``object-lock-legal-hold`` + + * - :policy-action:`s3:PutObjectRetention` + - | ``x-amz-object-lock-remaining-retention-days`` + | ``x-amz-object-lock-retain-until-date`` + | ``x-amz-object-lock-mode`` + + * - :policy-action:`s3:PutObjectLegalHold` + - ``object-lock-legal-hold`` + + * - :policy-action:`s3:BypassGovernanceRetention` + - | ``object-lock-remaining-retention-days`` + | ``object-lock-retain-until-date`` + | ``object-lock-mode`` + | ``object-lock-legal-hold`` + + * - :policy-action:`s3:GetObjectVersion` + - ``versionid`` + + + * - :policy-action:`s3:DeleteObjectVersion` + - ``versionid`` .. _minio-policy-mc-admin-actions: ``mc admin`` Policy Action Keys -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------- MinIO supports the following actions for use with defining policies for :mc-cmd:`mc admin` operations. These actions are *only* valid for @@ -601,93 +698,8 @@ services: Allows listing configured remote storage tiers using the :mc-cmd:`mc admin tier` command. -.. _minio-policy-conditions: - -Supported S3 Policy Condition Keys ----------------------------------- - -MinIO policy documents support IAM -:iam-docs:`conditional statements `. - -Each condition element consists of -:iam-docs:`operators ` -and condition keys. MinIO supports a subset of IAM condition keys. For complete -information on any listed condition key, see the -:iam-docs:`IAM Condition Element Documentation -` - -MinIO supports the following condition keys for all supported -:ref:`actions `: - -- ``aws:Referer`` -- ``aws:SourceIp`` -- ``aws:UserAgent`` -- ``aws:SecureTransport`` -- ``aws:CurrentTime`` -- ``aws:EpochTime`` -- ``aws:PrincipalType`` -- ``aws:userid`` -- ``aws:username`` -- ``s3:x-amz-content-sha256`` - -The following table lists additional supported condition keys for specific -actions: - -.. list-table:: - :header-rows: 1 - :widths: 30 70 - :width: 100% - - * - Action Key - - Condition Keys - - * - :policy-action:`s3:GetObject` - - | ``s3:x-amz-server-side-encryption`` - | ``s3:x-amz-server-side-encryption-customer-algorithm`` - - * - :policy-action:`s3:ListBucket` - - | ``s3:prefix`` - | ``s3:delimiter`` - | ``s3:max-keys`` - - * - :policy-action:`s3:PutObject` - - | ``s3:x-amz-copy-source`` - | ``s3:x-amz-server-side-encryption`` - | ``s3:x-amz-server-side-encryption-customer-algorithm`` - | ``s3:x-amz-metadata-directive`` - | ``s3:x-amz-storage-class`` - | ``s3:object-lock-retain-until-date`` - | ``s3:object-lock-mode`` - | ``s3:object-lock-legal-hold`` - - * - :policy-action:`s3:PutObjectRetention` - - | ``s3:x-amz-object-lock-remaining-retention-days`` - | ``s3:x-amz-object-lock-retain-until-date`` - | ``s3:x-amz-object-lock-mode`` - - * - :policy-action:`s3:PutObjectLegalHold` - - ``s3:object-lock-legal-hold`` - - * - :policy-action:`s3:BypassGovernanceRetention` - - | ``s3:object-lock-remaining-retention-days`` - | ``s3:object-lock-retain-until-date`` - | ``s3:object-lock-mode`` - | ``s3:object-lock-legal-hold`` - - * - :policy-action:`s3:GetObjectVersion` - - ``s3:versionid`` - - * - :policy-action:`s3:GetObjectVersionTagging` - - ``s3:versionid`` - - * - :policy-action:`s3:DeleteObjectVersion` - - ``s3:versionid`` - - * - :policy-action:`s3:DeleteObjectVersionTagging` - - ``s3:versionid`` - ``mc admin`` Policy Condition Keys -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- MinIO supports the following conditions for use with defining policies for :mc-cmd:`mc admin` :ref:`actions `.