minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-30 07:03:26 +03:00
Code Activity

Docs Multiplatform Slice

Browse Source
This commit is contained in:
Ravind Kumar
2022-05-06 16:44:42 -04:00
parent df33ddee6a
commit b99c20a16f
134 changed files with 3689 additions and 2200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
source/administration/identity-access-management/ad-ldap-access-management.rst Normal file
View File

@ -0,0 +1,103 @@
.. _minio-external-identity-management-ad-ldap:
=========================================
Active Directory / LDAP Access Management
=========================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
MinIO supports using an Active Directory or LDAP (AD/LDAP) service for external
management of user identities.
For identities managed by the external AD/LDAP provider, MinIO uses the user's Distinguished Name and attempts to map it against an existing :ref:`policy <minio-policy>`.
If the AD/LDAP configuration includes the necessary settings to query the user's AD/LDAP group membership, MinIO *also* uses those group Distinguished Names and attempts to map each against an existing :ref:`policy <minio-policy>`.
MinIO by default denies access to all actions or resources not explicitly allowed by a user's assigned or inherited :ref:`policies <minio-policy>`.
Users managed by an AD/LDAP provider must specify the necessary policies as part of the user profile data.
If no policies match either the user DN or group DNs, MinIO blocks all access to actions and resources on the deployment.
The specific AD/LDAP queries MinIO issues to authenticate the user and retrieve it's group membership are configured as part of :ref:`deploying the cluster with Active Directory / LDAP identity management <minio-external-iam-ad-ldap>`.
This page covers creation of MinIO policies to match the possible returned Distinguished Names.
Authentication and Authorization Flow
-------------------------------------
The login flow for an application using Active Directory / LDAP
credentials is as follows:
1. Specify the AD/LDAP credentials to the MinIO Security Token Service (STS)
:ref:`minio-sts-assumerolewithldapidentity` API endpoint.
2. MinIO verifies the provided credentials against the AD/LDAP server.
3. MinIO checks for any :ref:`policy <minio-policy>` whose name matches the
user Distinguished Name (DN) and assigns that policy to the authenticated
user.
If configured to perform group queries, MinIO also queries for a list of
AD/LDAP groups in which the user has membership. MinIO checks for any policy
whose name matches a returned group DN and assigns that
policy to the authenticated user.
4. MinIO returns temporary credentials in the STS API response in the form of an
access key, secret key, and session token. The credentials have permissions
matching those policies whose name matches either the authenticated user DN
*or* a group DN.
MinIO provides an example Go application
:minio-git:`ldap.go <minio/blob/master/docs/sts/ldap.go>` that handles the
full login flow.
AD/LDAP users can alternatively create :ref:`service accounts <minio-idp-service-account>` associated to their AD/LDAP user Distinguished Name. Service accounts are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. Use either of the following methods to create a new service account
- Log into the :ref:`MinIO Console <minio-console>` using the AD/LDAP-managed user credentials. From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Service Accounts` followed by the :guilabel:`Create service account +` button.
- Use the :mc-cmd:`mc admin user svcacct add` command to create the service account. Specify the user Distinguished Name as the username to which to associate the service account.
Mapping Policies to User DN
---------------------------
Consider the following policy assignments:
.. code-block:: shell
mc admin policy set --consoleAdmin user='cn=sisko,cn=users,dc=example,dc=com'
mc admin policy set --readwrite,diagnostics user='cn=dax,cn=users,dc=example,dc=com'
- MinIO would assign an authenticated user with DN matching
``cn=sisko,cn=users,dc=example,dc=com`` the :userpolicy:`consoleAdmin`
policy, granting complete access to the MinIO server.
- MinIO would assign an authenticated user with DN matching
``cn=dax,cn=users,dc=example,dc=com`` both the :userpolicy:`readwrite` and
:userpolicy:`diagnostics` policies, granting general read/write access to the
MinIO server *and* access to diagnostic administrative operations.
- MinIO would assign no policies to an authenticated user with DN matching
``cn=quark,cn=users,dc=example,dc=com`` and deny all access to API operations.
Mapping Policies to Group DN
----------------------------
Consider the following policy assignments:
.. code-block:: shell
mc admin policy set --consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'
mc admin policy set --diagnostics group='cn=engineering,cn=groups,dc=example,dc=com'
- MinIO would assign any authenticating user with membership in the
``cn=ops,cn=groups,dc=example,dc=com`` AD/LDAP group the
:userpolicy:`consoleAdmin` policy, granting complete access to the MinIO
server.
- MinIO would assign any authenticating user with membership in the
``cn=engineering,cn=groups,dc=example,dc=com`` AD/LDAP group the
:userpolicy:`diagnostics` policy, granting access to diagnostic administrative
operations.

60
source/administration/identity-access-management/minio-group-management.rst Normal file
View File

@ -0,0 +1,60 @@
.. _minio-groups:
================
Group Management
================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
Overview
--------
A *group* is a collection of :ref:`users <minio-users>`. Each group
can have one or more assigned :ref:`policies <minio-policy>`
that explicitly list the actions and resources to which group members are
allowed or denied access.
For example, consider the following groups. Each group is assigned a
:ref:`built-in policy <minio-policy-built-in>` or supported
:ref:`policy action <minio-policy-actions>`. Each group also has one or
more assigned users. Each user's total set of permissions consists of their
explicitly assigned permission *and* the inherited permissions from each of
their assigned groups. MinIO by default *denies* access to any resource or
operation not explicitly allowed by a user's assigned or inherited policies.
.. list-table::
:header-rows: 1
:widths: 20 40 40
:width: 100%
* - Group
- Policy
- Members
* - ``Operations``
- | :userpolicy:`readwrite` on ``finance`` bucket
| :userpolicy:`readonly` on ``audit`` bucket
- ``john.doe``, ``jane.doe``
* - ``Auditing``
- | :userpolicy:`readonly` on ``audit`` bucket
- ``jen.doe``, ``joe.doe``
* - ``Admin``
- :policy-action:`admin:*`
- ``greg.doe``, ``jen.doe``
Groups provide a simplified method for managing shared permissions among
users with common access patterns and workloads. Client's *cannot* authenticate
to a MinIO deployment using a group as an identity.
The :mc-cmd:`mc admin group` command supports the creation and management of
groups on the MinIO deployment. See the command reference for examples of
usage.

56
source/administration/identity-access-management/minio-identity-management.rst Normal file
View File

@ -0,0 +1,56 @@
.. _minio-internal-idp:
=========================
MinIO Identity Management
=========================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
MinIO includes a built-in IDentity Provider (IDP) that provides core identity
management functionality. The MinIO IDP supports creating an arbitrary number of
long-lived users on the deployment for supporting client authentication.
Each user consists of a unique access key (username) and corresponding secret
key (password). Clients must authenticate their identity by specifying both
a valid access key (username) and the corresponding secret key (password) of
an existing MinIO user.
Administrators use the :mc-cmd:`mc admin user` command to create and manage
MinIO users. The :minio-git:`MinIO Console <console>` provides a graphical
interface for creating users.
MinIO also supports creating :ref:`service accounts
<minio-idp-service-account>`. Service accounts are child identities of an
authenticated parent user and inherit their permissions from the parent.
MinIO by default denies access to all actions or resources not explicitly
allowed by a user's assigned or inherited :ref:`policies <minio-policy>`. You
must either explicitly assign a :ref:`policy <minio-policy>` describing the
user's authorized actions and resources *or* assign the user to :ref:`groups
<minio-groups>` which have associated policies. See
:ref:`minio-access-management` for more information.
.. admonition:: External Identity Management
:class: dropdown, note
MinIO supports external management of identities using either an
OpenID Connect (OIDC) or Active Directory/LDAP IDentity Provider (IDP).
For more information, see:
- :ref:`minio-external-identity-management-openid`
- :ref:`minio-external-identity-management-ad-ldap`
Enabling external identity management disables the MinIO internal IDP, with
the exception of creating :ref:`service accounts
<minio-idp-service-account>`.
.. toctree::
:titlesonly:
:hidden:
/administration/identity-access-management/minio-user-management.rst
/administration/identity-access-management/minio-group-management.rst

173
source/administration/identity-access-management/minio-user-management.rst Normal file
View File

@ -0,0 +1,173 @@
.. _minio-users:
===============
User Management
===============
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
Overview
--------
A MinIO user consists of a unique access key (username) and corresponding secret
key (password). Clients must authenticate their identity by specifying both
a valid access key (username) and the corresponding secret key (password) of
an existing MinIO user.
Each user can have one or more assigned :ref:`policies <minio-policy>` that
explicitly list the actions and resources to which that user has access.
Users can also inherit policies from the :ref:`groups <minio-groups>` in which
they have membership.
MinIO by default denies access to all actions or resources not explicitly
allowed by a user's assigned or inherited :ref:`policies <minio-policy>`. You
must either explicitly assign a :ref:`policy <minio-policy>` describing the
user's authorized actions and resources *or* assign the user to :ref:`groups
<minio-groups>` which have associated policies. See
:ref:`minio-access-management` for more information.
This page documents user management for the MinIO internal IDentity Provider
(IDP). MinIO also external management of identities using either an
OpenID Connect (OIDC) or Active Directory/LDAP IDentity Provider (IDP).
For more information, see:
- :ref:`minio-external-identity-management-openid`
- :ref:`minio-external-identity-management-ad-ldap`
Enabling external identity management disables the MinIO internal IDP, with
the exception of creating :ref:`service accounts
<minio-idp-service-account>`.
.. _minio-idp-service-account:
Service Accounts
----------------
MinIO service accounts are child identities of an authenticated MinIO user,
including :ref:`externally managed identities
<minio-authentication-and-identity-management>`. Each service account inherits
its privileges based on the :ref:`policies <minio-policy>` attached to it's
parent user *or* those groups in which the parent user has membership. Service
accounts also support an optional inline policy which further restricts access
to a subset of actions and resources available to the parent user.
A MinIO user can generate any number of service accounts. This allows
application owners to generate arbitrary service accounts for their applications
without requiring action from the MinIO administrators. Since the generated
service accounts have the same or fewer permissions as the parents,
administrators can focus on managing the top-level parent users without
micro-managing generated service accounts.
You can create service accounts using either the :ref:`MinIO Console <minio-console>` *or* by using the :mc-cmd:`mc admin user svcacct add` command.
.. admonition:: Service Accounts are for Programmatic Access
:class: dropdown, note
Service Accounts support programmatic access by applications. You cannot
use a Service Account to log into the MinIO Console.
.. _minio-users-root:
MinIO ``root`` User
-------------------
MinIO deployments have a ``root`` user with access to all actions and resources
on the deployment, regardless of the configured :ref:`identity manager
<minio-authentication-and-identity-management>`. When a :mc:`minio` server first
starts, it sets the ``root`` user credentials by checking the value of the
following environment variables:
- :envvar:`MINIO_ROOT_USER`
- :envvar:`MINIO_ROOT_PASSWORD`
Rotating the root user credentials requires updating either or both variables
for all MinIO servers in the deployment. Specify *long, unique, and random*
strings for root credentials. Exercise all possible precautions in storing the
access key and secret key, such that only known and trusted individuals who
*require* superuser access to the deployment can retrieve the ``root``
credentials.
- MinIO *strongly discourages* using the ``root`` user for regular client access
regardless of the environment (development, staging, or production).
- MinIO *strongly recommends* creating users such that each client has access to
the minimal set of actions and resources required to perform their assigned
workloads.
If these variables are unset, :mc:`minio` defaults to ``minioadmin`` and
``minioadmin`` as the access key and secret key respectively. MinIO *strongly
discourages* use of the default credentials regardless of deployment
environment.
.. admonition:: Deprecation of Legacy Root User Environment Variables
:class: dropdown, important
MinIO :minio-release:`RELEASE.2021-04-22T15-44-28Z` and later deprecates the
following variables used for setting or updating root user
credentials:
- :envvar:`MINIO_ACCESS_KEY` to the new access key.
- :envvar:`MINIO_SECRET_KEY` to the new secret key.
- :envvar:`MINIO_ACCESS_KEY_OLD` to the old access key.
- :envvar:`MINIO_SECRET_KEY_OLD` to the old secret key.
User Management
---------------
Create a User
~~~~~~~~~~~~~
Use the :mc-cmd:`mc admin user add` command to create a new user on the
MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user add ALIAS ACCESSKEY SECRETKEY
- Replace :mc-cmd:`ALIAS <mc admin user add TARGET>` with the
:mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`ACCESSKEY <mc admin user add ACCESSKEY>` with the
access key for the user. MinIO allows retrieving the access key after
user creation through the :mc-cmd:`mc admin user info` command.
- Replace :mc-cmd:`SECRETKEY <mc admin user add SECRETKEY>` with the
secret key for the user. MinIO *does not* provide any method for retrieving
the secret key once set.
Specify a unique, random, and long string for both the ``ACCESSKEY`` and
``SECRETKEY``. Your organization may have specific internal or regulatory
requirements around generating values for use with access or secret keys.
After creating the user, use :mc-cmd:`mc admin policy set` to associate a
:ref:`MinIO Policy Based Access Control <minio-policy>` to the new user.
The following command assigns the built-in :userpolicy:`readwrite` policy:
.. code-block:: shell
:class: copyable
mc admin policy set ALIAS readwrite user=USERNAME
Replace ``USERNAME`` with the ``ACCESSKEY`` created in the previous step.
Delete a User
~~~~~~~~~~~~~
Use the :mc-cmd:`mc admin user remove` command to remove a user on a
MinIO deployment:
.. code-block:: shell
:class: copyable
mc admin user remove ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user remove TARGET>` with the
:mc-cmd:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`USERNAME <mc admin user remove USERNAME>` with the name of
the user to remove.

82
source/administration/identity-access-management/oidc-access-management.rst Normal file
View File

@ -0,0 +1,82 @@
.. _minio-external-identity-management-openid:
.. _minio-external-identity-management-openid-access-control:
================================
OpenID Connect Access Management
================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP)
such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user
identities.
For identities managed by the external OpenID Connect (OIDC) compatible provider, MinIO uses the `JSON Web Token claim <https://datatracker.ietf.org/doc/html/rfc7519#section-4>`__ returned as part of the OIDC authentication flow to identify the :ref:`policies <minio-policy>` to assign to the authenticated user.
MinIO by default denies access to all actions or resources not explicitly allowed by a user's assigned or inherited :ref:`policies <minio-policy>`.
Users managed by an OIDC provider must specify the necessary policies as part of the JWT claim. If the user JWT claim has no matching MinIO policies, that user has no permissions to access any action or resource on the MinIO deployment.
The specific claim which MinIO looks for is configured as part of :ref:`deploying the cluster with OIDC identity management <minio-external-iam-oidc>`. This page focuses on creating MinIO policies to match the configured OIDC claims.
Authentication and Authorization Flow
-------------------------------------
The login flow for an application using :abbr:`OIDC (OpenID Connect)`
credentials is as follows:
1. Authenticate to the configured :abbr:`OIDC (OpenID Connect)`
provider and retrieve a
`JSON Web Token (JWT) <https://jwt.io/introduction>`__.
MinIO only supports the
`OpenID Authorization Code Flow
<https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth>`__.
Authentication using Implicit Flow is not supported.
2. Specify the :abbr:`JWT (JSON Web Token)` to the MinIO Security Token Service
(STS) :ref:`minio-sts-assumerolewithwebidentity` API endpoint.
MinIO verifies the :abbr:`JWT (JSON Web Token)` against the
configured OIDC provider.
If the JWT is valid, MinIO checks for a :ref:`claim
<minio-external-identity-management-openid-access-control>` specifying a list
of one or more :ref:`policies <minio-policy>` to assign to the
authenticated user. MinIO defaults to checking the ``policy`` claim.
3. MinIO returns temporary credentials in the STS API response in the form of an
access key, secret key, and session token. The credentials have
permissions matching those policies specified in the JWT claim.
4. Applications use the temporary credentials returned by the STS endpoint to
perform authenticated S3 operations on MinIO.
MinIO provides an example Go application
:minio-git:`web-identity.go <minio/blob/master/docs/sts/web-identity.go>` that
handles the full login flow.
OIDC users can alternatively create :ref:`service accounts <minio-idp-service-account>` associated to their AD/LDAP user. Service accounts are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. To create a new service account, log into the :ref:`MinIO Console <minio-console>` using the OIDC-managed user credentials. From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Service Accounts` followed by the :guilabel:`Create service account +` button.
Identifying the JWT Claim Value
-------------------------------
MinIO uses the JWT token returned as part of the OIDC authentication flow to identify the specific policies to assign to the authenticated user.
You can use a `JWT Debugging tool <https://jwt.io/>`__ to decode the returned JWT token and validate that the user attributes include the required claims.
.. todo - example JWT claim
See `RFC 7519: JWT Claim <https://datatracker.ietf.org/doc/html/rfc7519#section-4>`__ for more information on JWT claims.
Defer to the documentation for your preferred OIDC provider for instructions on configuring user claims.
Creating Policies to Match Claims
---------------------------------
Use either the MinIO Console *or* the :mc-cmd:`mc admin policy` command to create policies that match one or more claim values:
.. todo - instructions

778
source/administration/identity-access-management/policy-based-access-control.rst Normal file
View File

@ -0,0 +1,778 @@
.. _minio-policy:
=================
Access Management
=================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 1
Overview
--------
MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions
and resources to which an authenticated user has access. Each policy describes
one or more :ref:`actions <minio-policy-actions>` and :ref:`conditions
<minio-policy-conditions>` that outline the permissions of a
:ref:`user <minio-users>` or :ref:`group <minio-groups>` of
users.
MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and
behavior. The MinIO documentation makes a best-effort to cover IAM-specific
behavior and functionality. Consider deferring to the :iam-docs:`IAM
documentation <>` for more complete documentation on AWS IAM-specific topics.
The :mc-cmd:`mc admin policy` command supports creation and management of
policies on the MinIO deployment. See the command reference for examples of
usage.
.. _minio-policy-built-in:
Built-In Policies
-----------------
MinIO provides the following built-in policies for assigning to
:ref:`users <minio-users>` or :ref:`groups <minio-groups>`:
.. userpolicy:: consoleAdmin
Grants complete access to all S3 and administrative API operations against
all resources on the MinIO deployment. Equivalent to the following set of
actions:
- :policy-action:`s3:*`
- :policy-action:`admin:*`
.. userpolicy:: readonly
Grants read-only permissions on any object on the MinIO deployment. The GET
action *must* apply to a specific object without requiring any listing.
Equivalent to the following set of actions:
- :policy-action:`s3:GetBucketLocation`
- :policy-action:`s3:GetObject`
For example, this policy specifically supports GET operations on objects at a
specific path (e.g. ``GET play/mybucket/object.file``), such as:
- :mc-cmd:`mc cp`
- :mc-cmd:`mc stat`
- :mc-cmd:`mc head`
- :mc-cmd:`mc cat`
The exclusion of listing permissions is intentional, as typical use cases
do not intend for a "read-only" role to have complete discoverability
(listing all buckets and objects) on the object storage resource.
.. userpolicy:: readwrite
Grants read and write permissions for all buckets and objects on the
MinIO server. Equivalent to :policy-action:`s3:*`.
.. userpolicy:: diagnostics
Grants permission to perform diagnostic actions on the MinIO deployment.
Specifically includes the following actions:
- :policy-action:`admin:ServerTrace`
- :policy-action:`admin:Profiling`
- :policy-action:`admin:ConsoleLog`
- :policy-action:`admin:ServerInfo`
- :policy-action:`admin:TopLocksInfo`
- :policy-action:`admin:OBDInfo`
- :policy-action:`admin:BandwidthMonitor`
- :policy-action:`admin:Prometheus`
.. userpolicy:: writeonly
Grants write-only permissions to any namespace (bucket and path to object)
the MinIO deployment. The PUT action *must* apply to a specific object
location without requiring any listing.
Equivalent to the :policy-action:`s3:PutObject` action.
Use :mc-cmd:`mc admin policy set` to associate a policy to a
user or group on a MinIO deployment.
For example, consider the following table of users. Each user is assigned
a :ref:`built-in policy <minio-policy-built-in>` or
a supported :ref:`action <minio-policy-actions>`. The table
describes a subset of operations a client could perform if authenticated
as that user:
.. list-table::
:header-rows: 1
:widths: 20 40 40
:width: 100%
* - User
- Policy
- Operations
* - ``Operations``
- | :userpolicy:`readwrite` on ``finance`` bucket
| :userpolicy:`readonly` on ``audit`` bucket
- | ``PUT`` and ``GET`` on ``finance`` bucket.
| ``PUT`` on ``audit`` bucket
* - ``Auditing``
- | :userpolicy:`readonly` on ``audit`` bucket
- ``GET`` on ``audit`` bucket
* - ``Admin``
- :policy-action:`admin:*`
- All :mc-cmd:`mc admin` commands.
Each user can access only those resources and operations which are *explicitly*
granted by the built-in role. MinIO denies access to any other resource or
action by default.
.. admonition:: ``Deny`` overrides ``Allow``
:class: note
MinIO follows the IAM policy evaluation rules where a ``Deny`` rule overrides
``Allow`` rule on the same action/resource. For example, if a user has an
explicitly assigned policy with an ``Allow`` rule for an action/resource
while one of its groups has an assigned policy with a ``Deny`` rule for that
action/resource, MinIO would apply only the ``Deny`` rule.
For more information on IAM policy evaluation logic, see the IAM
documentation on
:iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account
<reference_policies_evaluation-logic.html#policy-eval-denyallow>`.
.. _minio-policy-document:
Policy Document Structure
-------------------------
MinIO policy documents use the same schema as
:aws-docs:`AWS IAM Policy <IAM/latest/UserGuide/access.html>` documents.
The following sample document provides a template for creating custom
policies for use with a MinIO deployment. For more complete documentation on IAM
policy elements, see the :aws-docs:`IAM JSON Policy Elements Reference
<IAM/latest/UserGuide/reference_policies_elements.html>`.
.. code-block:: javascript
:class: copyable
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [ "s3:<ActionName>", ... ],
"Resource" : "arn:aws:s3:::*",
"Condition" : { ... }
},
{
"Effect" : "Deny",
"Action" : [ "s3:<ActionName>", ... ],
"Resource" : "arn:aws:s3:::*",
"Condition" : { ... }
}
]
}
- For the ``Statement.Action`` array, specify one or more
:ref:`supported S3 API operations <minio-policy-actions>`. MinIO deployments
supports a subset of AWS S3 API operations.
- For the ``Statement.Resource`` key, you can replace the ``*`` with
the specific bucket to which the policy statement should apply.
Using ``*`` applies the statement to all resources on the MinIO deployment.
- For the ``Statement.Condition`` key, you can specify one or more
:ref:`supported Conditions <minio-policy-conditions>`. MinIO
deployments supports a subset of AWS S3 conditions.
.. _minio-policy-actions:
Supported S3 Policy Actions
---------------------------
MinIO policy documents support a subset of IAM
:iam-docs:`S3 Action keys <list_amazons3.html#amazons3-actions-as-permissions>`.
The following actions control access to common S3 operations. The remaining
subsections document actions for more advanced S3 operations:
.. policy-action:: s3:*
Selector for *all* MinIO S3 operations. Applying this action to a given
resource allows the user to perform *any* S3 operation against that
resource.
.. policy-action:: s3:CreateBucket
Controls access to the :s3-api:`CreateBucket <API_CreateBucket.html>` S3 API
operation.
.. policy-action:: s3:DeleteBucket
Controls access to the :s3-api:`DeleteBucket <API_DeleteBucket.html>` S3 API
operation.
.. policy-action:: s3:ForceDeleteBucket
Controls access to the :s3-api:`DeleteBucket <API_DeleteBucket.html>`
S3 API operation for operations with the ``x-minio-force-delete`` flag.
Required for removing non-empty buckets.
.. policy-action:: s3:GetBucketLocation
Controls access to the :s3-api:`GetBucketLocation
<API_GetBucketLocation.html>` S3 API operation.
.. policy-action:: s3:ListAllMyBuckets
Controls access to the :s3-api:`ListBuckets <API_ListBuckets.html>`
S3 API operation.
.. policy-action:: s3:DeleteObject
Controls access to the :s3-api:`DeleteObject <API_DeleteObject.html>` S3 API
operation.
.. policy-action:: s3:GetObject
Controls access to the :s3-api:`GetObject <API_GetObject.html>` S3 API
operation.
.. policy-action:: s3:ListBucket
Controls access to the :s3-api:`ListObjectsV2 <API_ListObjectsV2.html>` S3 API
operation.
.. policy-action:: s3:PutObject
Controls access to the :s3-api:`PutObject <API_PutObject.html>` S3 API
operation.
.. policy-action:: s3:PutObjectTagging
Controls access to the :s3-api:`PutObjectTagging <API_PutObjectTagging.html>`
S3 API operation.
.. policy-action:: s3:GetObjectTagging
Controls access to the :s3-api:`GetObjectTagging <API_GetObjectTagging.html>`
S3 API operation.
Bucket Configuration
~~~~~~~~~~~~~~~~~~~~
.. policy-action:: s3:GetBucketPolicy
Controls access to the :s3-api:`GetBucketPolicy <API_GetBucketPolicy.html>`
S3 API operation.
.. policy-action:: s3:PutBucketPolicy
Controls access to the :s3-api:`PutBucketPolicy <API_PutBucketPolicy.html>`
S3 API operation.
.. policy-action:: s3:DeleteBucketPolicy
Controls access to the :s3-api:`DeleteBucketPolicy
<API_DeleteBucketPolicy.html>` S3 API operation.
.. policy-action:: s3:GetBucketTagging
Controls access to the :s3-api:`GetBucketTagging <API_GetBucketTagging.html>`
S3 API operation.
.. policy-action:: s3:PutBucketTagging
Controls access to the :s3-api:`PutBucketTagging <API_PutBucketTagging.html>`
S3 API operation.
Multipart Upload
~~~~~~~~~~~~~~~~
.. policy-action:: s3:AbortMultipartUpload
Controls access to the :s3-api:`AbortMultipartUpload
<API_AbortMultipartUpload.html>` S3 API operation.
.. policy-action:: s3:ListMultipartUploadParts
Controls access to the :s3-api:`ListParts <API_ListParts.html>` S3 API
operation.
.. policy-action:: s3:ListBucketMultipartUploads
Controls access to the :s3-api:`ListMultipartUploads
<API_ListMultipartUploads.html>` S3 API operation.
Versioning and Retention
~~~~~~~~~~~~~~~~~~~~~~~~
.. policy-action:: s3:PutBucketVersioning
Controls access to the :s3-api:`PutBucketVersioning
<API_PutBucketVersioning.html>` S3 API operation.
.. policy-action:: s3:GetBucketVersioning
Controls access to the :s3-api:`GetBucketVersioning
<API_GetBucketVersioning.html>` S3 API operation.
.. policy-action:: s3:DeleteObjectVersion
Controls access to the :s3-api:`DeleteObjectVersion
<API_DeleteObjectVersion.html>` S3 API operation.
.. policy-action:: s3:DeleteObjectVersionTagging
Controls access to the :s3-api:`DeleteObjectVersionTagging
<API_DeleteObjectVersionTagging.html>` S3 API operation.
.. policy-action:: s3:GetObjectVersion
Controls access to the :s3-api:`GetObjectVersion
<API_GetObjectVersion.html>` S3 API operation.
.. policy-action:: s3:BypassGovernanceRetention
Controls access to the following S3 API operations on objects
locked under :mc-cmd:`GOVERNANCE <mc retention set MODE>`
retention mode:
- ``PutObjectRetention``
- ``PutObject``
- ``DeleteObject``
See the S3 documentation on :s3-docs:`s3:BypassGovernanceRetention
<object-lock-managing.html#object-lock-managing-bypass>` for more
information.
.. policy-action:: s3:PutObjectRetention
Controls access to the :s3-api:`PutObjectRetention
<API_PutObjectRetention.html>` S3 API operation.
Required for any ``PutObject`` operation that specifies
:ref:`retention metadata <minio-object-locking>`.
.. policy-action:: s3:GetObjectRetention
Controls access to the :s3-api:`GetObjectRetention
<API_GetObjectRetention.html>` S3 API operation.
Required for including :ref:`object locking metadata <minio-object-locking>`
as part of the response to a ``GetObject`` or ``HeadObject`` operation.
.. policy-action:: s3:GetObjectLegalHold
Controls access to the :s3-api:`GetObjectLegalHold
<API_GetObjectLegalHold.html>` S3 API operation.
Required for including :ref:`object locking metadata <minio-object-locking>`
as part of the response to a ``GetObject`` or ``HeadObject`` operation.
.. policy-action:: s3:PutObjectLegalHold
Controls access to the :s3-api:`PutObjectLegalHold
<API_PutObjectLegalHold.html>` S3 API operation.
Required for any ``PutObject`` operation that specifies
:ref:`legal hold metadata <minio-object-locking>`.
.. policy-action:: s3:GetBucketObjectLockConfiguration
Controls access to the :s3-api:`GetObjectLockConfiguration
<API_GetObjectLockConfiguration.html>` S3 API operation.
.. policy-action:: s3:PutBucketObjectLockConfiguration
Controls access to the :s3-api:`PutObjectLockConfiguration
<API_PutObjectLockConfiguration.html>` S3 API operation.
Bucket Notifications
~~~~~~~~~~~~~~~~~~~~
.. policy-action:: s3:GetBucketNotification
Controls access to the :s3-api:`GetBucketNotification
<API_GetBucketNotification.html>` S3 API operation.
.. policy-action:: s3:PutBucketNotification
Controls access to the :s3-api:`PutBucketNotification
<API_PutBucketNotification.html>` S3 API operation.
.. policy-action:: s3:ListenNotification
MinIO Extension for controlling API operations related to MinIO Bucket
Notifications.
This action is **not** intended for use with other S3-compatible services.
.. policy-action:: s3:ListenBucketNotification
MinIO Extension for controlling API operations related to MinIO Bucket
Notifications.
This action is **not** intended for use with other S3-compatible services.
Object Lifecycle Management
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. policy-action:: s3:PutLifecycleConfiguration
Controls access to the :s3-api:`PutLifecycleConfiguration
<API_PutBucketLifecycleConfiguration.html>` S3 API operation.
.. policy-action:: s3:GetLifecycleConfiguration
Controls access to the :s3-api:`GetLifecycleConfiguration
<API_GetBucketLifecycleConfiguration.html>` S3 API operation.
Object Encryption
~~~~~~~~~~~~~~~~~
.. policy-action:: s3:PutEncryptionConfiguration
Controls access to the :s3-api:`PutEncryptionConfiguration
<API_PutBucketEncryption.html>` S3 API operation.
.. policy-action:: s3:GetEncryptionConfiguration
Controls access to the :s3-api:`GetEncryptionConfiguration
<API_GetBucketEncryption.html>` S3 API operation.
Bucket Replication
~~~~~~~~~~~~~~~~~~
.. policy-action:: s3:GetReplicationConfiguration
Controls access to the :s3-api:`GetBucketReplication
<API_GetBucketReplication.html>` S3 API operation.
.. policy-action:: s3:PutReplicationConfiguration
Controls access to the :s3-api:`PutBucketReplication
<PutBucketReplication.html>` S3 API operation.
.. policy-action:: s3:ReplicateObject
MinIO Extension for controlling API operations related to
:ref:`Server-Side Bucket Replication <minio-bucket-replication-serverside>`.
Required for server-side replication.
.. policy-action:: s3:ReplicateDelete
MinIO Extension for controlling API operations related to
:ref:`Server-Side Bucket Replication <minio-bucket-replication-serverside>`.
Required for synchronizing delete operations as part of server-side
replication.
.. policy-action:: s3:ReplicateTags
MinIO Extension for controlling API operations related to
:ref:`Server-Side Bucket Replication <minio-bucket-replication-serverside>`.
Required for server-side replication.
.. policy-action:: s3:GetObjectVersionForReplication
MinIO Extension for controlling API operations related to
:ref:`Server-Side Bucket Replication <minio-bucket-replication-serverside>`.
Required for server-side replication.
.. _minio-policy-conditions:
Supported S3 Policy Condition Keys
----------------------------------
MinIO policy documents support IAM
:iam-docs:`conditional statements <reference_policies_elements_condition.html>`.
Each condition element consists of
:iam-docs:`operators <reference_policies_elements_condition_operators.html>`
and condition keys. MinIO supports a subset of IAM condition keys. For complete
information on any listed condition key, see the
:iam-docs:`IAM Condition Element Documentation
<reference_policies_elements_condition.html>`
MinIO supports the following condition keys for all supported
:ref:`actions <minio-policy-actions>`:
- ``aws:Referer``
- ``aws:SourceIp``
- ``aws:UserAgent``
- ``aws:SecureTransport``
- ``aws:CurrentTime``
- ``aws:EpochTime``
- ``aws:PrincipalType``
- ``aws:userid``
- ``aws:username``
- ``x-amz-content-sha256``
The following table lists additional supported condition keys for specific
actions:
.. list-table::
:header-rows: 1
:widths: 30 70
:width: 100%
* - Action Key
- Condition Keys
* - :policy-action:`s3:GetObject`
- | ``x-amz-server-side-encryption``
| ``x-amz-server-side-encryption-customer-algorithm``
* - :policy-action:`s3:ListBucket`
- | ``prefix``
| ``delimiter``
| ``max-keys``
* - :policy-action:`s3:PutObject`
- | ``x-amz-copy-source``
| ``x-amz-server-side-encryption``
| ``x-amz-server-side-encryption-customer-algorithm``
| ``x-amz-metadata-directive``
| ``x-amz-storage-class``
| ``object-lock-retain-until-date``
| ``object-lock-mode``
| ``object-lock-legal-hold``
* - :policy-action:`s3:PutObjectRetention`
- | ``x-amz-object-lock-remaining-retention-days``
| ``x-amz-object-lock-retain-until-date``
| ``x-amz-object-lock-mode``
* - :policy-action:`s3:PutObjectLegalHold`
- ``object-lock-legal-hold``
* - :policy-action:`s3:BypassGovernanceRetention`
- | ``object-lock-remaining-retention-days``
| ``object-lock-retain-until-date``
| ``object-lock-mode``
| ``object-lock-legal-hold``
* - :policy-action:`s3:GetObjectVersion`
- ``versionid``
* - :policy-action:`s3:DeleteObjectVersion`
- ``versionid``
.. _minio-policy-mc-admin-actions:
``mc admin`` Policy Action Keys
-------------------------------
MinIO supports the following actions for use with defining policies
for :mc-cmd:`mc admin` operations. These actions are *only* valid for
MinIO deployments and are *not* intended for use with other S3-compatible
services:
.. policy-action:: admin:*
Selector for all admin action keys.
.. policy-action:: admin:Heal
Allows heal command
.. policy-action:: admin:StorageInfo
Allows listing server info
.. policy-action:: admin:DataUsageInfo
Allows listing data usage info
.. policy-action:: admin:TopLocksInfo
Allows listing top locks
.. policy-action:: admin:Profiling
Allows profiling
.. policy-action:: admin:ServerTrace
Allows listing server trace
.. policy-action:: admin:ConsoleLog
Allows listing console logs on terminal
.. policy-action:: admin:KMSCreateKey
Allows creating a new KMS master key
.. policy-action:: admin:KMSKeyStatus
Allows getting KMS key status
.. policy-action:: admin:ServerInfo
Allows listing server info
.. policy-action:: admin:OBDInfo
Allows obtaining cluster on-board diagnostics
.. policy-action:: admin:ServerUpdate
Allows MinIO binary update
.. policy-action:: admin:ServiceRestart
Allows restart of MinIO service.
.. policy-action:: admin:ServiceStop
Allows stopping MinIO service.
.. policy-action:: admin:ConfigUpdate
Allows MinIO config management
.. policy-action:: admin:CreateUser
Allows creating MinIO user
.. policy-action:: admin:DeleteUser
Allows deleting MinIO user
.. policy-action:: admin:ListUsers
Allows list users permission
.. policy-action:: admin:EnableUser
Allows enable user permission
.. policy-action:: admin:DisableUser
Allows disable user permission
.. policy-action:: admin:GetUser
Allows GET permission on user info
.. policy-action:: admin:AddUserToGroup
Allows adding user to group permission
.. policy-action:: admin:RemoveUserFromGroup
Allows removing user to group permission
.. policy-action:: admin:GetGroup
Allows getting group info
.. policy-action:: admin:ListGroups
Allows list groups permission
.. policy-action:: admin:EnableGroup
Allows enable group permission
.. policy-action:: admin:DisableGroup
Allows disable group permission
.. policy-action:: admin:CreatePolicy
Allows create policy permission
.. policy-action:: admin:DeletePolicy
Allows delete policy permission
.. policy-action:: admin:GetPolicy
Allows get policy permission
.. policy-action:: admin:AttachUserOrGroupPolicy
Allows attaching a policy to a user/group
.. policy-action:: admin:ListUserPolicies
Allows listing user policies
.. policy-action:: admin:CreateServiceAccount
Allows creating MinIO Service Account
.. policy-action:: admin:UpdateServiceAccount
Allows updating MinIO Service Account
.. policy-action:: admin:RemoveServiceAccount
Allows deleting MinIO Service Account
.. policy-action:: admin:ListServiceAccounts
Allows listing MinIO Service Account
.. policy-action:: admin:SetBucketQuota
Allows setting bucket quota
.. policy-action:: admin:GetBucketQuota
Allows getting bucket quota
.. policy-action:: admin:SetBucketTarget
Allows setting bucket target
.. policy-action:: admin:GetBucketTarget
Allows getting bucket targets
.. policy-action:: admin:SetTier
Allows creating and modifying remote storage tiers using the
:mc-cmd:`mc admin tier` command.
.. policy-action:: admin:ListTier
Allows listing configured remote storage tiers using the
:mc-cmd:`mc admin tier` command.
.. policy-action:: admin:BandwidthMonitor
Allows retrieving metrics related to current bandwidth consumption.
.. policy-action:: admin:Prometheus
Allows access to MinIO :ref:`metrics <minio-metrics-and-alerts-endpoints>`.
Only required if MinIO requires authentication for scraping metrics.
``mc admin`` Policy Condition Keys
----------------------------------
MinIO supports the following conditions for use with defining policies for
:mc-cmd:`mc admin` :ref:`actions <minio-policy-mc-admin-actions>`.
- ``aws:Referer``
- ``aws:SourceIp``
- ``aws:UserAgent``
- ``aws:SecureTransport``
- ``aws:CurrentTime``
- ``aws:EpochTime``
For complete information on any listed condition key, see the :iam-docs:`IAM
Condition Element Documentation <reference_policies_elements_condition.html>`