.. _minio-policy: ================= Policy Management ================= .. default-domain:: minio .. contents:: Table of Contents :local: :depth: 1 Overview -------- MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more :ref:`actions ` and :ref:`conditions ` that outline the permissions of a :ref:`user ` or :ref:`group ` of users. MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the :iam-docs:`IAM documentation <>` for more complete documentation on AWS IAM-specific topics. The :mc-cmd:`mc admin policy` command supports creation and management of policies on the MinIO deployment. See the command reference for examples of usage. .. _minio-policy-built-in: Built-In Policies ----------------- MinIO provides the following built-in policies for assigning to :ref:`users ` or :ref:`groups `: .. userpolicy:: consoleAdmin Grants complete access to all S3 and administrative API operations against all resources on the MinIO deployment. Equivalent to the following set of actions: - :policy-action:`s3:*` - :policy-action:`admin:*` .. userpolicy:: readonly Grants read-only permissions on any object on the MinIO deployment. The GET action *must* apply to a specific object without requiring any listing. Equivalent to the following set of actions: - :policy-action:`s3:GetBucketLocation` - :policy-action:`s3:GetObject` For example, this policy specifically supports GET operations on objects at a specific path (e.g. ``GET play/mybucket/object.file``), such as: - :mc-cmd:`mc cp` - :mc-cmd:`mc stat` - :mc-cmd:`mc head` - :mc-cmd:`mc cat` The exclusion of listing permissions is intentional, as typical use cases do not intend for a "read-only" role to have complete discoverability (listing all buckets and objects) on the object storage resource. .. userpolicy:: readwrite Grants read and write permissions for all buckets and objects on the MinIO server. Equivalent to :policy-action:`s3:*`. .. userpolicy:: diagnostics Grants permission to perform diagnostic actions on the MinIO deployment. Specifically includes the following actions: - :policy-action:`admin:ServerTrace` - :policy-action:`admin:Profiling` - :policy-action:`admin:ConsoleLog` - :policy-action:`admin:ServerInfo` - :policy-action:`admin:TopLocksInfo` - :policy-action:`admin:OBDInfo` - :policy-action:`admin:BandwidthMonitor` - :policy-action:`admin:Prometheus` .. userpolicy:: writeonly Grants write-only permissions to any namespace (bucket and path to object) the MinIO deployment. The PUT action *must* apply to a specific object location without requiring any listing. Equivalent to the :policy-action:`s3:PutObject` action. Use :mc-cmd:`mc admin policy set` to associate a policy to a user or group on a MinIO deployment. For example, consider the following table of users. Each user is assigned a :ref:`built-in policy ` or a supported :ref:`action `. The table describes a subset of operations a client could perform if authenticated as that user: .. list-table:: :header-rows: 1 :widths: 20 40 40 :width: 100% * - User - Policy - Operations * - ``Operations`` - | :userpolicy:`readwrite` on ``finance`` bucket | :userpolicy:`readonly` on ``audit`` bucket - | ``PUT`` and ``GET`` on ``finance`` bucket. | ``PUT`` on ``audit`` bucket * - ``Auditing`` - | :userpolicy:`readonly` on ``audit`` bucket - ``GET`` on ``audit`` bucket * - ``Admin`` - :policy-action:`admin:*` - All :mc-cmd:`mc admin` commands. Each user can access only those resources and operations which are *explicitly* granted by the built-in role. MinIO denies access to any other resource or action by default. .. admonition:: ``Deny`` overrides ``Allow`` :class: note MinIO follows the IAM policy evaluation rules where a ``Deny`` rule overrides ``Allow`` rule on the same action/resource. For example, if a user has an explicitly assigned policy with an ``Allow`` rule for an action/resource while one of its groups has an assigned policy with a ``Deny`` rule for that action/resource, MinIO would apply only the ``Deny`` rule. For more information on IAM policy evaluation logic, see the IAM documentation on :iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account `. .. _minio-policy-document: Policy Document Structure ------------------------- MinIO policy documents use the same schema as :aws-docs:`AWS IAM Policy ` documents. The following sample document provides a template for creating custom policies for use with a MinIO deployment. For more complete documentation on IAM policy elements, see the :aws-docs:`IAM JSON Policy Elements Reference `. .. code-block:: javascript :class: copyable { "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "s3:", ... ], "Resource" : "arn:aws:s3:::*", "Condition" : { ... } }, { "Effect" : "Deny", "Action" : [ "s3:", ... ], "Resource" : "arn:aws:s3:::*", "Condition" : { ... } } ] } - For the ``Statement.Action`` array, specify one or more :ref:`supported S3 API operations `. MinIO deployments supports a subset of AWS S3 API operations. - For the ``Statement.Resource`` key, you can replace the ``*`` with the specific bucket to which the policy statement should apply. Using ``*`` applies the statement to all resources on the MinIO deployment. - For the ``Statement.Condition`` key, you can specify one or more :ref:`supported Conditions `. MinIO deployments supports a subset of AWS S3 conditions. .. _minio-policy-actions: Supported S3 Policy Actions --------------------------- MinIO policy documents support a subset of IAM :iam-docs:`S3 Action keys `. The following actions control access to common S3 operations. The remaining subsections document actions for more advanced S3 operations: .. policy-action:: s3:* Selector for *all* MinIO S3 operations. Applying this action to a given resource allows the user to perform *any* S3 operation against that resource. .. policy-action:: s3:CreateBucket Controls access to the :s3-api:`CreateBucket ` S3 API operation. .. policy-action:: s3:DeleteBucket Controls access to the :s3-api:`DeleteBucket ` S3 API operation. .. policy-action:: s3:ForceDeleteBucket Controls access to the :s3-api:`DeleteBucket ` S3 API operation for operations with the ``x-minio-force-delete`` flag. Required for removing non-empty buckets. .. policy-action:: s3:GetBucketLocation Controls access to the :s3-api:`GetBucketLocation ` S3 API operation. .. policy-action:: s3:ListAllMyBuckets Controls access to the :s3-api:`ListBuckets ` S3 API operation. .. policy-action:: s3:DeleteObject Controls access to the :s3-api:`DeleteObject ` S3 API operation. .. policy-action:: s3:GetObject Controls access to the :s3-api:`GetObject ` S3 API operation. .. policy-action:: s3:ListBucket Controls access to the :s3-api:`ListObjectsV2 ` S3 API operation. .. policy-action:: s3:PutObject Controls access to the :s3-api:`PutObject ` S3 API operation. .. policy-action:: s3:PutObjectTagging Controls access to the :s3-api:`PutObjectTagging ` S3 API operation. .. policy-action:: s3:GetObjectTagging Controls access to the :s3-api:`GetObjectTagging ` S3 API operation. Bucket Configuration ~~~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:GetBucketPolicy Controls access to the :s3-api:`GetBucketPolicy ` S3 API operation. .. policy-action:: s3:PutBucketPolicy Controls access to the :s3-api:`PutBucketPolicy ` S3 API operation. .. policy-action:: s3:DeleteBucketPolicy Controls access to the :s3-api:`DeleteBucketPolicy ` S3 API operation. .. policy-action:: s3:GetBucketTagging Controls access to the :s3-api:`GetBucketTagging ` S3 API operation. .. policy-action:: s3:PutBucketTagging Controls access to the :s3-api:`PutBucketTagging ` S3 API operation. Multipart Upload ~~~~~~~~~~~~~~~~ .. policy-action:: s3:AbortMultipartUpload Controls access to the :s3-api:`AbortMultipartUpload ` S3 API operation. .. policy-action:: s3:ListMultipartUploadParts Controls access to the :s3-api:`ListParts ` S3 API operation. .. policy-action:: s3:ListBucketMultipartUploads Controls access to the :s3-api:`ListMultipartUploads ` S3 API operation. Versioning and Retention ~~~~~~~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:PutBucketVersioning Controls access to the :s3-api:`PutBucketVersioning ` S3 API operation. .. policy-action:: s3:GetBucketVersioning Controls access to the :s3-api:`GetBucketVersioning ` S3 API operation. .. policy-action:: s3:DeleteObjectVersion Controls access to the :s3-api:`DeleteObjectVersion ` S3 API operation. .. policy-action:: s3:DeleteObjectVersionTagging Controls access to the :s3-api:`DeleteObjectVersionTagging ` S3 API operation. .. policy-action:: s3:GetObjectVersion Controls access to the :s3-api:`GetObjectVersion ` S3 API operation. .. policy-action:: s3:BypassGovernanceRetention Controls access to the following S3 API operations on objects locked under :mc-cmd:`GOVERNANCE ` retention mode: - ``PutObjectRetention`` - ``PutObject`` - ``DeleteObject`` See the S3 documentation on :s3-docs:`s3:BypassGovernanceRetention ` for more information. .. policy-action:: s3:PutObjectRetention Controls access to the :s3-api:`PutObjectRetention ` S3 API operation. Required for any ``PutObject`` operation that specifies :ref:`retention metadata `. .. policy-action:: s3:GetObjectRetention Controls access to the :s3-api:`GetObjectRetention ` S3 API operation. Required for including :ref:`object locking metadata ` as part of the response to a ``GetObject`` or ``HeadObject`` operation. .. policy-action:: s3:GetObjectLegalHold Controls access to the :s3-api:`GetObjectLegalHold ` S3 API operation. Required for including :ref:`object locking metadata ` as part of the response to a ``GetObject`` or ``HeadObject`` operation. .. policy-action:: s3:PutObjectLegalHold Controls access to the :s3-api:`PutObjectLegalHold ` S3 API operation. Required for any ``PutObject`` operation that specifies :ref:`legal hold metadata `. .. policy-action:: s3:GetBucketObjectLockConfiguration Controls access to the :s3-api:`GetObjectLockConfiguration ` S3 API operation. .. policy-action:: s3:PutBucketObjectLockConfiguration Controls access to the :s3-api:`PutObjectLockConfiguration ` S3 API operation. Bucket Notifications ~~~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:GetBucketNotification Controls access to the :s3-api:`GetBucketNotification ` S3 API operation. .. policy-action:: s3:PutBucketNotification Controls access to the :s3-api:`PutBucketNotification ` S3 API operation. .. policy-action:: s3:ListenNotification MinIO Extension for controlling API operations related to MinIO Bucket Notifications. This action is **not** intended for use with other S3-compatible services. .. policy-action:: s3:ListenBucketNotification MinIO Extension for controlling API operations related to MinIO Bucket Notifications. This action is **not** intended for use with other S3-compatible services. Object Lifecycle Management ~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:PutLifecycleConfiguration Controls access to the :s3-api:`PutLifecycleConfiguration ` S3 API operation. .. policy-action:: s3:GetLifecycleConfiguration Controls access to the :s3-api:`GetLifecycleConfiguration ` S3 API operation. Object Encryption ~~~~~~~~~~~~~~~~~ .. policy-action:: s3:PutEncryptionConfiguration Controls access to the :s3-api:`PutEncryptionConfiguration ` S3 API operation. .. policy-action:: s3:GetEncryptionConfiguration Controls access to the :s3-api:`GetEncryptionConfiguration ` S3 API operation. Bucket Replication ~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:GetReplicationConfiguration Controls access to the :s3-api:`GetBucketReplication ` S3 API operation. .. policy-action:: s3:PutReplicationConfiguration Controls access to the :s3-api:`PutBucketReplication ` S3 API operation. .. policy-action:: s3:ReplicateObject MinIO Extension for controlling API operations related to :ref:`Server-Side Bucket Replication `. Required for server-side replication. .. policy-action:: s3:ReplicateDelete MinIO Extension for controlling API operations related to :ref:`Server-Side Bucket Replication `. Required for synchronizing delete operations as part of server-side replication. .. policy-action:: s3:ReplicateTags MinIO Extension for controlling API operations related to :ref:`Server-Side Bucket Replication `. Required for server-side replication. .. policy-action:: s3:GetObjectVersionForReplication MinIO Extension for controlling API operations related to :ref:`Server-Side Bucket Replication `. Required for server-side replication. .. _minio-policy-conditions: Supported S3 Policy Condition Keys ---------------------------------- MinIO policy documents support IAM :iam-docs:`conditional statements `. Each condition element consists of :iam-docs:`operators ` and condition keys. MinIO supports a subset of IAM condition keys. For complete information on any listed condition key, see the :iam-docs:`IAM Condition Element Documentation ` MinIO supports the following condition keys for all supported :ref:`actions `: - ``aws:Referer`` - ``aws:SourceIp`` - ``aws:UserAgent`` - ``aws:SecureTransport`` - ``aws:CurrentTime`` - ``aws:EpochTime`` - ``aws:PrincipalType`` - ``aws:userid`` - ``aws:username`` - ``x-amz-content-sha256`` The following table lists additional supported condition keys for specific actions: .. list-table:: :header-rows: 1 :widths: 30 70 :width: 100% * - Action Key - Condition Keys * - :policy-action:`s3:GetObject` - | ``x-amz-server-side-encryption`` | ``x-amz-server-side-encryption-customer-algorithm`` * - :policy-action:`s3:ListBucket` - | ``prefix`` | ``delimiter`` | ``max-keys`` * - :policy-action:`s3:PutObject` - | ``x-amz-copy-source`` | ``x-amz-server-side-encryption`` | ``x-amz-server-side-encryption-customer-algorithm`` | ``x-amz-metadata-directive`` | ``x-amz-storage-class`` | ``object-lock-retain-until-date`` | ``object-lock-mode`` | ``object-lock-legal-hold`` * - :policy-action:`s3:PutObjectRetention` - | ``x-amz-object-lock-remaining-retention-days`` | ``x-amz-object-lock-retain-until-date`` | ``x-amz-object-lock-mode`` * - :policy-action:`s3:PutObjectLegalHold` - ``object-lock-legal-hold`` * - :policy-action:`s3:BypassGovernanceRetention` - | ``object-lock-remaining-retention-days`` | ``object-lock-retain-until-date`` | ``object-lock-mode`` | ``object-lock-legal-hold`` * - :policy-action:`s3:GetObjectVersion` - ``versionid`` * - :policy-action:`s3:DeleteObjectVersion` - ``versionid`` .. _minio-policy-mc-admin-actions: ``mc admin`` Policy Action Keys ------------------------------- MinIO supports the following actions for use with defining policies for :mc-cmd:`mc admin` operations. These actions are *only* valid for MinIO deployments and are *not* intended for use with other S3-compatible services: .. policy-action:: admin:* Selector for all admin action keys. .. policy-action:: admin:Heal Allows heal command .. policy-action:: admin:StorageInfo Allows listing server info .. policy-action:: admin:DataUsageInfo Allows listing data usage info .. policy-action:: admin:TopLocksInfo Allows listing top locks .. policy-action:: admin:Profiling Allows profiling .. policy-action:: admin:ServerTrace Allows listing server trace .. policy-action:: admin:ConsoleLog Allows listing console logs on terminal .. policy-action:: admin:KMSCreateKey Allows creating a new KMS master key .. policy-action:: admin:KMSKeyStatus Allows getting KMS key status .. policy-action:: admin:ServerInfo Allows listing server info .. policy-action:: admin:OBDInfo Allows obtaining cluster on-board diagnostics .. policy-action:: admin:ServerUpdate Allows MinIO binary update .. policy-action:: admin:ServiceRestart Allows restart of MinIO service. .. policy-action:: admin:ServiceStop Allows stopping MinIO service. .. policy-action:: admin:ConfigUpdate Allows MinIO config management .. policy-action:: admin:CreateUser Allows creating MinIO user .. policy-action:: admin:DeleteUser Allows deleting MinIO user .. policy-action:: admin:ListUsers Allows list users permission .. policy-action:: admin:EnableUser Allows enable user permission .. policy-action:: admin:DisableUser Allows disable user permission .. policy-action:: admin:GetUser Allows GET permission on user info .. policy-action:: admin:AddUserToGroup Allows adding user to group permission .. policy-action:: admin:RemoveUserFromGroup Allows removing user to group permission .. policy-action:: admin:GetGroup Allows getting group info .. policy-action:: admin:ListGroups Allows list groups permission .. policy-action:: admin:EnableGroup Allows enable group permission .. policy-action:: admin:DisableGroup Allows disable group permission .. policy-action:: admin:CreatePolicy Allows create policy permission .. policy-action:: admin:DeletePolicy Allows delete policy permission .. policy-action:: admin:GetPolicy Allows get policy permission .. policy-action:: admin:AttachUserOrGroupPolicy Allows attaching a policy to a user/group .. policy-action:: admin:ListUserPolicies Allows listing user policies .. policy-action:: admin:CreateServiceAccount Allows creating MinIO Service Account .. policy-action:: admin:UpdateServiceAccount Allows updating MinIO Service Account .. policy-action:: admin:RemoveServiceAccount Allows deleting MinIO Service Account .. policy-action:: admin:ListServiceAccounts Allows listing MinIO Service Account .. policy-action:: admin:SetBucketQuota Allows setting bucket quota .. policy-action:: admin:GetBucketQuota Allows getting bucket quota .. policy-action:: admin:SetBucketTarget Allows setting bucket target .. policy-action:: admin:GetBucketTarget Allows getting bucket targets .. policy-action:: admin:SetTier Allows creating and modifying remote storage tiers using the :mc-cmd:`mc admin tier` command. .. policy-action:: admin:ListTier Allows listing configured remote storage tiers using the :mc-cmd:`mc admin tier` command. .. policy-action:: admin:BandwidthMonitor Allows retrieving metrics related to current bandwidth consumption. .. policy-action:: admin:Prometheus Allows access to MinIO :ref:`metrics `. Only required if MinIO requires authentication for scraping metrics. ``mc admin`` Policy Condition Keys ---------------------------------- MinIO supports the following conditions for use with defining policies for :mc-cmd:`mc admin` :ref:`actions `. - ``aws:Referer`` - ``aws:SourceIp`` - ``aws:UserAgent`` - ``aws:SecureTransport`` - ``aws:CurrentTime`` - ``aws:EpochTime`` For complete information on any listed condition key, see the :iam-docs:`IAM Condition Element Documentation `