minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-31 18:04:52 +03:00
Code Activity

Final pass on platformization (#555)

Browse Source
This commit is contained in:
Ravind Kumar
2022-09-16 16:40:20 -04:00
committed by GitHub
parent 5efcffbff1
commit d815aa9ce8
144 changed files with 1510 additions and 1102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
source/includes/common-minio-tiering.rst
View File

@ -1,6 +1,6 @@
.. start-create-transition-rule-desc
Use the :mc-cmd:`mc ilm add` command to create a new transition rule
Use the :mc:`mc ilm add` command to create a new transition rule
for the bucket. The following example configures transition after the
specified number of calendar days:

4
source/includes/common-replication.rst
View File

@ -19,7 +19,7 @@ MinIO does *not* support replicating client-side encrypted objects (SSE-C).
MinIO server-side replication only works between MinIO deployments.
Both the source and destination deployments *must* run MinIO.
To configure replication between arbitrary S3-compatible services, use :mc-cmd:`mc mirror`.
To configure replication between arbitrary S3-compatible services, use :mc:`mc mirror`.
.. end-replication-minio-only
@ -115,7 +115,7 @@ Each MinIO deployment ("peer site") synchronizes the following changes across th
- Bucket and Object Configurations
- :ref:`Policies <minio-policy>`
- :mc-cmd:`mc tag set`
- :mc:`mc tag set`
- :ref:`Locks <minio-object-locking>`, including retention and legal hold configurations
- :ref:`Encryption settings <minio-encryption-overview>`

8
source/includes/common/bucket-replication.rst
View File

@ -121,7 +121,7 @@ F) Select :guilabel:`Save` to finish adding the replication rule
.. start-create-bucket-replication-rule-cli-desc
Use the :mc-cmd:`mc replicate add` command to add a new replication rule to each MinIO deployment.
Use the :mc:`mc replicate add` command to add a new replication rule to each MinIO deployment.
.. code-block:: shell
:class: copyable
@ -147,7 +147,7 @@ Use the :mc-cmd:`mc replicate add` command to add a new replication rule to each
See :mc-cmd:`mc replicate add --replicate` for more complete documentation.
Omit any field to disable replication of that component.
Specify any other supported optional arguments for :mc-cmd:`mc replicate add`.
Specify any other supported optional arguments for :mc:`mc replicate add`.
.. end-create-bucket-replication-rule-cli-desc
@ -175,14 +175,14 @@ F) Go to the other deployment's console and select the destination bucket define
.. start-validate-bucket-replication-cli-desc
Use :mc-cmd:`mc cp` to copy a new object to the replicated bucket on one of the deployments.
Use :mc:`mc cp` to copy a new object to the replicated bucket on one of the deployments.
.. code-block:: shell
:class: copyable
mc cp ~/foo.txt ALIAS/BUCKET
Use :mc-cmd:`mc ls` to verify the object exists on the destination bucket:
Use :mc:`mc ls` to verify the object exists on the destination bucket:
.. code-block:: shell
:class: copyable

2
source/includes/common/common-deploy.rst
View File

@ -91,7 +91,7 @@ Include any other environment variables as required for your local deployment.
You can access the MinIO deployment over a Terminal or Shell using the :ref:`MinIO Client <minio-client>` (:mc:`mc`).
See :ref:`MinIO Client Installation Quickstart <mc-install>` for instructions on installing :mc:`mc`.
Create a new :mc-cmd:`alias <mc alias set>` corresponding to the MinIO deployment.
Create a new :mc:`alias <mc alias set>` corresponding to the MinIO deployment.
Specify any of the hostnames or IP addresses from the MinIO Server ``API`` block, such as http://localhost:9000.
.. code-block:: shell

2
source/includes/common/common-minio-kes.rst
View File

@ -109,7 +109,7 @@ If you run |KES| without tying it to the current shell session (e.g. with ``nohu
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc:`mc admin kms key create` to add a new |EK| for use with |SSE|.
Use ``kes key create`` *or* :mc-cmd:`mc admin kms key create` to add a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

2
source/includes/container/common-deploy.rst
View File

@ -90,7 +90,7 @@ The instructions include examples for both quay.io and DockerHub:
You can access the MinIO deployment over a Terminal or Shell using the :ref:`MinIO Client <minio-client>` (:mc:`mc`).
See :ref:`MinIO Client Installation Quickstart <mc-install>` for instructions on installing :mc:`mc`.
Create a new :mc-cmd:`alias <mc alias set>` corresponding to the MinIO deployment.
Create a new :mc:`alias <mc alias set>` corresponding to the MinIO deployment.
Use a hostname or IP address for your local machine along with the S3 API port ``9000`` to access the MinIO deployment.
Any traffic to that port on the local host redirects to the container.

2
source/includes/container/common-minio-kes.rst
View File

@ -125,7 +125,7 @@ KES automatically creates this key if it does not already exist on the root KMS.
MinIO requires that the |EK| exist on the root KMS *before* performing
|SSE| operations using that key. Use ``kes key create`` *or*
:mc:`mc admin kms key create` to create a new |EK| for use with |SSE|.
:mc-cmd:`mc admin kms key create` to create a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new
External Key (EK) stored on the root KMS server for use with encrypting

14
source/includes/container/quickstart.rst
View File

@ -253,8 +253,8 @@ Procedure
chmod +x mc
sudo mv mc /usr/local/bin/mc
Use :mc-cmd:`mc alias set` to create a new alias associated to your local deployment.
You can run :mc-cmd:`mc` commands against this alias:
Use :mc:`mc alias set` to create a new alias associated to your local deployment.
You can run :mc:`mc` commands against this alias:
.. code-block:: shell
:class: copyable
@ -264,7 +264,7 @@ Procedure
Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags.
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server
@ -310,7 +310,7 @@ Procedure
chmod +x mc
sudo mv mc /usr/local/bin/mc
Use :mc-cmd:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
.. code-block:: shell
:class: copyable
@ -320,7 +320,7 @@ Procedure
Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags.
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server
@ -343,7 +343,7 @@ Procedure
\path\to\mc.exe --help
Use :mc-cmd:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
.. code-block:: shell
:class: copyable
@ -353,7 +353,7 @@ Procedure
Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags.
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server

2
source/includes/container/steps-deploy-minio-single-node-multi-drive.rst
View File

@ -116,7 +116,7 @@ The following table describes each line of the command and provides additional c
* - ``minio server --console-address ":9090"``
- Starts the MinIO server using the ``minio:minio`` image pulled from an earlier step.
The :mc:`minio server --console-address ":9090" <minio server --console-address>` option directs the server to set a static port for the MinIO Console Web Interface.
The :mc-cmd:`minio server --console-address ":9090" <minio server --console-address>` option directs the server to set a static port for the MinIO Console Web Interface.
This option is *required* for containerized environments.
If you modify this value, ensure you set the proper port mapping using the ``-p`` flag to Podman/Docker to ensure traffic forwarding between the local host and the container.

2
source/includes/container/steps-deploy-minio-single-node-single-drive.rst
View File

@ -107,7 +107,7 @@ The following table describes each line of the command and provides additional c
* - ``minio server --console-address ":9090"``
- Starts the MinIO server using the ``minio:minio`` image pulled from an earlier step.
The :mc:`minio server --console-address ":9090" <minio server --console-address>` option directs the server to set a static port for the MinIO Console Web Interface.
The :mc-cmd:`minio server --console-address ":9090" <minio server --console-address>` option directs the server to set a static port for the MinIO Console Web Interface.
This option is *required* for containerized environments.
If you modify this value, ensure you set the proper port mapping using the ``-p`` flag to Podman/Docker to ensure traffic forwarding between the local host and the container.

2
source/includes/facts-mc-admin.rst
View File

@ -1,6 +1,6 @@
.. start-minio-only
MinIO does not support using :mc-cmd:`mc admin` commands with other
MinIO does not support using :mc:`mc admin` commands with other
S3-compatible services, regardless of their claimed compatibility with MinIO
deployments.

6
source/includes/facts-versioning.rst
View File

@ -11,7 +11,7 @@ existed at specified point-in-time.
|rewind| requires that the specified |alias| be an S3-compatible service
that supports :ref:`minio-bucket-versioning`. For MinIO deployments, use
:mc-cmd:`mc version` to enable or disable bucket versioning.
:mc:`mc version` to enable or disable bucket versioning.
.. end-rewind-desc
@ -22,7 +22,7 @@ bucket.
|versions| requires that the specified |alias| be an S3-compatible service
that supports :ref:`minio-bucket-versioning`. For MinIO deployments, use
:mc-cmd:`mc version` to enable or disable bucket versioning.
:mc:`mc version` to enable or disable bucket versioning.
.. end-versions-desc
@ -32,7 +32,7 @@ that supports :ref:`minio-bucket-versioning`. For MinIO deployments, use
|versionid| requires that the specified |alias| be an S3-compatible service
that supports :ref:`minio-bucket-versioning`. For MinIO deployments, use
:mc-cmd:`mc version` to enable or disable bucket versioning.
:mc:`mc version` to enable or disable bucket versioning.
.. end-version-id-desc

5
source/includes/k8s/common-minio-kes.rst
View File

@ -4,7 +4,8 @@ This procedure assumes an existing `Hashicorp Vault <https://www.vaultproject.io
- For Vault deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the Vault service.
- For Vault deployments external to the Kubernetes cluster, you must configure Ingress or a similar network control plane component to allow the MinIO Tenant to establish connectivity to Vault.
- For Vault deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network.
This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.
Defer to the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for guidance on deployment and configuration.
@ -80,7 +81,7 @@ You can use either the MinIO Tenant Console or the MinIO :mc:`mc` CLI to enable
.. start-kes-generate-key-desc
MinIO requires that the |EK| for a given bucket or object exist on the root KMS *before* performing |SSE| operations using that key.
You can use the :mc:`mc admin kms key create` command against the MinIO Tenant.
You can use the :mc-cmd:`mc admin kms key create` command against the MinIO Tenant.
You must ensure your local host can access the MinIO Tenant pods and services before using :mc:`mc` to manage the Tenant.
You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the ``minio`` service for temporary access via the local host.

10
source/includes/k8s/common-operator.rst Normal file
View File

@ -0,0 +1,10 @@
.. start-requires-operator-plugin
Ensure your target Kubernetes cluster has a valid and working installation of the MinIO Kubernetes Operator.
The host machine from which you perform the procedure should have a matching installation of the MinIO Kubernetes Plugin
This documentation assumes the latest stable Operator and Plugin version |operator-version-stable|.
.. end-requires-operator-plugin

2
source/includes/k8s/quickstart.rst
View File

@ -144,7 +144,7 @@ Procedure
#. **(Optional) Connect the MinIO Client**
If your local machine has :mc:`mc` :ref:`installed <mc-install>`, use the :mc-cmd:`mc alias set` command to authenticate and connect to the MinIO deployment:
If your local machine has :mc:`mc` :ref:`installed <mc-install>`, use the :mc:`mc alias set` command to authenticate and connect to the MinIO deployment:
.. code-block:: shell
:class: copyable

141
source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst Normal file
View File

@ -0,0 +1,141 @@
Deploy MinIO Tenant with Active Directory / LDAP Identity Management
--------------------------------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
.. code-block:: shell
:class: copyable
kubectl minio proxy
The command returns output similar to the following:
.. code-block:: shell
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page.
You should see the :guilabel:`Tenants` page:
.. image:: /images/k8s/operator-dashboard.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console
Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
If you are modifying an existing Tenant, select that Tenant from the list.
The following steps reference the necessary sections and configuration settings for existing Tenants.
2) Complete the :guilabel:`Identity Provider` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To enable external identity management with an Active Directory / LDAP provider, select the :guilabel:`Identity Provider` section.
You can then change the radio button to :guilabel:`Active Directory` to display the configuration settings.
.. image:: /images/k8s/operator-create-tenant-identity-provider-adldap.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - Active Directory / LDAP
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Field
- Description
* - LDAP Server Address
- The hostname of the Active Directory or LDAP server.
* - Lookup Bind DN
- The Distinguished Name MinIO uses to authenticate and query the AD/LDAP server.
See :ref:`minio-external-identity-management-ad-ldap-lookup-bind` for more information.
* - List of user DNs (Distinguished Names) to be Tenant Administrators
- Specify a user :abbr:`DNs (Distinguished Names)` which MinIO assigns a :ref:`policy <minio-policy>` with administrative permissions for the Tenant.
You can specify multiple :abbr:`DNs (Distinguished Names)` by selecting the plus :octicon:`plus-circle` icon.
You can delete a DN by selecting the trash can :octicon:`trash` icon for that DN.
Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Assign Policies to AD/LDAP Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO by default assigns no :ref:`policies <minio-policy>` to AD/LDAP users or groups.
You must explicitly assign MinIO policies to a given user or group Distinguished Name (DN) to grant that user or group access to the MinIO deployment.
The following example assumes an existing :ref:`alias <alias>` configured for the MinIO Tenant.
See the :ref:`Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>` procedure for a basic example of granting network access to the MinIO tenant from your local host machine.
Use the :mc-cmd:`mc admin policy set` command to assign a user or group DN to an existing MinIO Policy:
.. code-block:: shell
:class: copyable
mc admin policy set minio-tenant POLICY user='uid=primary,cn=applications,dc=domain,dc=com'
mc admin policy set minio-tenant policy group='cn=applications,ou=groups,dc=domain,dc=com'
Replace ``POLICY`` with the name of the MinIO policy to assign to the user or group DN.
See :ref:`minio-external-identity-management-ad-ldap-access-control` for more information on access control with AD/LDAP users and groups.
4) Use the MinIO Tenant Console to Log In with AD/LDAP Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.
See the :ref:`Deploy MinIO Tenant: Access the Tenant's MinIO Console <create-tenant-cli-access-tenant-console>` for instructions on accessing the Tenant Console.
If the AD/LDAP configuration succeeded, the Console displays a button to login with AD/LDAP credentials.
Enter the user's AD/LDAP credentials and log in to access the Console.
Once logged in, you can perform any action for which the authenticated user is :ref:`authorized <minio-external-identity-management-ad-ldap-access-control>`.
You can also create :ref:`service accounts <minio-idp-service-account>` for supporting applications which must perform operations on MinIO.
Service accounts are long-lived credentials which inherit their privileges from the parent user.
The parent user can further restrict those privileges while creating the service account.
5) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Applications can use an AD/LDAP user credential to generate temporary S3-compatible credentials as-needed using the :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API endpoint.
MinIO provides an example Go application :minio-git:`ldap.go <minio/blob/master/docs/sts/ldap.go>` with an example of managing this workflow.
.. code-block:: shell
POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
&LDAPPassword=PASSWORD
&Version=2011-06-15
&Policy={}
- Replace ``minio.example.net`` with the hostname or URL for the MinIO Tenant service.
- Replace the ``LDAPUsername`` with the username of the AD/LDAP user.
- Replace the ``LDAPPassword`` with the password of the AD/LDAP user.
- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy <minio-policy>` that further restricts the permissions associated to the temporary credentials.
Omit to use the :ref:`policy whose name matches <minio-external-identity-management-ad-ldap-access-control>` the Distinguished Name (DN) of the AD/LDAP user.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date.
Applications can use the access key and secret key to access and perform operations on MinIO.
See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation.

2
source/includes/k8s/steps-configure-minio-kes-aws.rst
View File

@ -35,8 +35,6 @@ Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
2) Complete the :guilabel:`Encryption` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
To enable |SSE| with AWS Key Management Service during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`.
You can then change the :guilabel:`Vault` Radio button to :guilabel:`AWS` to display the configuration settings.

163
source/includes/k8s/steps-configure-openid-external-identity-management.rst Normal file
View File

@ -0,0 +1,163 @@
Deploy MinIO Tenant with OpenID Connect Identity Management
-----------------------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
.. code-block:: shell
:class: copyable
kubectl minio proxy
The command returns output similar to the following:
.. code-block:: shell
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page.
You should see the :guilabel:`Tenants` page:
.. image:: /images/k8s/operator-dashboard.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console
Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
If you are modifying an existing Tenant, select that Tenant from the list.
The following steps reference the necessary sections and configuration settings for existing Tenants.
2) Complete the :guilabel:`Identity Provider` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To enable external identity management with an OIDC select the :guilabel:`Identity Provider` section.
You can then change the radio button to :guilabel:`OIDC` to display the configuration settings.
.. image:: /images/k8s/operator-create-tenant-identity-provider-openid.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - OpenID
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Field
- Description
* - Configuration URL
- The hostname of the OpenID ``.well-known/openid-configuration`` file.
* - | Client ID
| Secret ID
- The Client and Secret ID MinIO uses when authenticating OIDC user credentials against OIDC service.
* - Claim Name
- The OIDC Claim MinIO uses for identifying the :ref:`policies <minio-policy>` to attach to the authenticated user.
Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Assign Policies to OIDC Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO by default assigns no :ref:`policies <minio-policy>` to OIDC users.
MinIO uses the specified user Claim to identify one or more policies to attach to the authenticated user.
If the Claim is empty or specifies policies which do not exist on the deployment, the authenticated user has no permissions on the Tenant.
The following example assumes an existing :ref:`alias <alias>` configured for the MinIO Tenant.
See the :ref:`Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>` procedure for a basic example of granting network access to the MinIO tenant from your local host machine.
Consider the following example policy that grants general S3 API access on only the ``data`` bucket:
.. code-block:: json
:class: copyable
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::data",
"arn:aws:s3:::data/*"
]
}
]
}
Use the :mc-cmd:`mc admin policy add` command to create a policy for use by an OIDC user:
.. code-block:: shell
:class: copyable
mc admin policy add minio-tenant datareadonly /path/to/datareadonly.json
MinIO attaches the ``datareadonly`` policy to any authenticated OIDC user with ``datareadonly`` included in the configured claim.
See :ref:`minio-external-identity-management-openid-access-control` for more information on access control with OIDC users and groups.
4) Use the MinIO Tenant Console to Log In with OIDC Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The MinIO Console supports the full workflow of authenticating to the OIDC provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.
See the :ref:`Deploy MinIO Tenant: Access the Tenant's MinIO Console <create-tenant-cli-access-tenant-console>` for instructions on accessing the Tenant Console.
If the OIDC configuration succeeded, the Console displays a button to login with OIDC credentials.
Enter the user's OIDC credentials and log in to access the Console.
Once logged in, you can perform any action for which the authenticated user is :ref:`authorized <minio-external-identity-management-openid-access-control>`.
You can also create :ref:`service accounts <minio-idp-service-account>` for supporting applications which must perform operations on MinIO.
Service accounts are long-lived credentials which inherit their privileges from the parent user.
The parent user can further restrict those privileges while creating the service account.
5) Generate S3-Compatible Temporary Credentials using OIDC Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Applications can generate temporary access credentials as-needed using the :ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the :abbr:`OIDC (OpenID Connect)` provider.
The application must provide a workflow for logging into the :abbr:`OIDC (OpenID Connect)` provider and retrieving the JSON Web Token (JWT) associated to the authentication session.
Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication.
MinIO provides an example Go application :minio-git:`web-identity.go <minio/blob/master/docs/sts/web-identity.go>` with an example of managing this workflow.
Once the application retrieves the JWT token, use the ``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials:
.. code-block:: shell
:class: copyable
POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
&WebIdentityToken=TOKEN
&Version=2011-06-15
&DurationSeconds=86400
&Policy=Policy
- Replace ``minio.example.net`` with the hostname or URL of the MinIO Tenant service.
- Replace the ``TOKEN`` with the JWT token returned in the previous step.
- Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours.
- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy <minio-policy>` that further restricts the permissions associated to the temporary credentials.
Omit to use the policy associated to the OpenID user :ref:`policy claim <minio-external-identity-management-openid-access-control>`.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date.
Applications can use the access key and secret key to access and perform operations on MinIO.
See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation.

2
source/includes/linux/common-minio-kes.rst
View File

@ -156,7 +156,7 @@ They do not otherwise enable TLS for other client connections to MinIO.
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc:`mc admin kms key create` to add a new |EK| for use with |SSE|.
Use ``kes key create`` *or* :mc-cmd:`mc admin kms key create` to add a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

4
source/includes/linux/quickstart.rst
View File

@ -103,7 +103,7 @@ Procedure
chmod +x mc
sudo mv mc /usr/local/bin/mc
Use :mc-cmd:`mc alias set` to create a new alias associated to your local deployment.
Use :mc:`mc alias set` to create a new alias associated to your local deployment.
You can run :mc-cmd:`mc` commands against this alias:
.. code-block:: shell
@ -112,7 +112,7 @@ Procedure
mc alias set local http://127.0.0.1:9000 minioadmin minioadmin
mc admin info local
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server

4
source/includes/macos/quickstart.rst
View File

@ -114,7 +114,7 @@ Procedure
mc {command} {flag}
Use :mc-cmd:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
.. code-block:: shell
:class: copyable
@ -122,7 +122,7 @@ Procedure
mc alias set local http://127.0.0.1:9000 minioadmin minioadmin
mc admin info local
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server

2
source/includes/minio-mc-installation.rst
View File

@ -76,6 +76,6 @@
make
To update a source-based installation, use ``go get -u``.
:mc-cmd:`mc update` does not support source-based installations.
:mc:`mc update` does not support source-based installations.

6
source/includes/play-alias-available.rst
View File

@ -4,7 +4,7 @@ The following example assumes that the ``play`` alias exists in the
:mc-cmd:`mc` :ref:`configuration file <mc-configuration>`. You can
replace ``play`` with the alias for your preferred S3-compatible deployment.
See :mc-cmd:`mc alias` for more information on aliases.
See :mc:`mc alias` for more information on aliases.
end-play-alias-only
@ -16,7 +16,7 @@ The following example assumes that the ``play`` and ``s3`` aliases exist in the
``play`` and ``s3`` with the aliases for your preferred S3-compatible
deployments.
See :mc-cmd:`mc alias` for more information on aliases.
See :mc:`mc alias` for more information on aliases.
end-play-s3-alias
@ -27,6 +27,6 @@ alias points to a local ``minio`` server running on port ``9000``. See
<installation instructions> for more information on installing and running
a local ``minio`` server instance.
See :mc-cmd:`mc alias` for more information on aliases.
See :mc:`mc alias` for more information on aliases.
end-myminio-alias

2
source/includes/windows/common-minio-kes.rst
View File

@ -88,7 +88,7 @@ Run the following command in a terminal or shell to start the MinIO server as a
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc:`mc admin kms key create` to create a new |EK| for use with |SSE|.
Use ``kes key create`` *or* :mc-cmd:`mc admin kms key create` to create a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to create a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

4
source/includes/windows/quickstart.rst
View File

@ -109,7 +109,7 @@ Procedure
\path\to\mc.exe --help
Use :mc-cmd:`mc.exe alias set <mc alias set>` to quickly authenticate and connect to the MinIO deployment.
Use :mc:`mc.exe alias set <mc alias set>` to quickly authenticate and connect to the MinIO deployment.
.. code-block:: shell
:class: copyable
@ -117,7 +117,7 @@ Procedure
mc.exe alias set local http://127.0.0.1:9000 minioadmin minioadmin
mc.exe admin info local
The :mc-cmd:`mc.exe alias set <mc alias set>` takes four arguments:
The :mc:`mc.exe alias set <mc alias set>` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server