minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-09-17 18:22:26 +03:00
Code Activity
Files
main
docs/source/includes/k8s/steps-configure-openid-external-identity-management.rst
Ravind Kumar 571f188a4e Attempting to reduce docs to single platform (#1258) 
##

We are going to make the following changes to the Object Store docs as
part of a larger QC/Content pass:

### Left Navigation

We want to modify the left navigation flow to be a natural progression
from a basic setup to more advanced.

For example:

- Core Concepts
  - Deployment Architecture
  - Availability and Resiliency
  - Erasure Coding and Object Healing
  - Object Scanner
  - Site Replication and Failover
  - Thresholds and Limits
- Installation
  - Deployment Checklist
  - Deploy MinIO on Kubernetes
  - Deploy MinIO on Red Hat Linux
  - Deploy MinIO on Ubuntu Linux
  - Deploy MinIO for Development (MacOS, Windows, Container)
- Security and Encryption (Conceptual Overview)
  - Network Encryption (TLS) (Conceptual overview)
    - Enable Network Encryption using Single Domain
    - Enable Network Encryption using Multiple Domains
    - Enable Network Encryption using certmanager (Kubernetes only)
  - Data Encryption (SSE) (Conceptual overview)
    - Enable SSE using AIStor Key Management Server
    - Enable SSE using KES (Summary page + linkouts)
  - External Identity Management (Conceptual Overview)
    - Enable External Identity management using OpenID
    - Enable External Identity management using AD/LDAP
- Backup and Recovery
  - Create a Multi-Site Replication Configuration
  - Recovery after Hardware Failure
    - Recover after drive failure
    - Recover after node failure
    - Recover after site failure
- Monitoring and Alerts
  - Metrics and Alerting (v3 reference)
    - Monitoring and Alerting using Prometheus
    - Monitoring and Alerting using InfluxDB
    - Monitoring and Alerting using Grafana
    - Metrics V2 Reference
  - Publish Server and Audit Logs to External Services
  - MinIO Healthcheck API

The Administration, Developer, and Reference sections will remain as-is
for now.

http://192.241.195.202:9000/staging/singleplat/mindocs/index.html

# Goals

Maintaining multiple platforms is getting to be too much, and based on
analytics the actual number of users taking advantage of it is minimal.

Furthermore, the majority of traffic is to installation pages.

Therefore we're going to try to collapse back into a single MinIO Object
Storage product, and use simple navigation and on-page selectors to
handle Baremetal vs Kubernetes.

This may also help to eventually stage us to migrate to Hugo + Markdown

---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
Co-authored-by: Rushan <rushenn@minio.io>
Co-authored-by: rushenn <rushenn123@gmail.com>
2025-07-30 12:33:02 -04:00

5.7 KiB
Raw Permalink Blame History

  1. Access the Operator Console

    Temporarily forward traffic between the local host machine and the MinIO Operator Console and retrieve the JWT token for your Operator deployment. For instructions, see Configure access to the Operator Console service <minio-k8s-deploy-operator-access-console>.

    Open your browser to the temporary URL and enter the JWT Token into the login page. You should see the Tenants page:

    MinIO Operator Console

    To deploy a new MinIO Tenant with OIDC external identity management, select the + Create Tenant button.

    TO configure an existing MinIO Tenant with OIDC external identity management select that Tenant from the displayed list. The following steps reference the necessary sections and configuration settings for existing Tenants.

  2. Complete the Identity Provider Section

    To enable external identity management with an OIDC select the Identity Provider section. You can then change the radio button to OIDC to display the configuration settings.

    MinIO Operator Console - Create a Tenant - External Identity Provider Section - OpenID

    An asterisk * marks required fields. The following table provides general guidance for those fields:

    Field Description
    Configuration URL The hostname of the OpenID .well-known/openid-configuration file.
    Client ID
    Secret ID
    		 The Client and Secret ID MinIO uses when authenticating OIDC user credentials against OIDC service.
    Claim Name The OIDC Claim MinIO uses for identifying the policies <minio-policy> to attach to the authenticated user.

    Once you complete the section, you can finish any other required sections of Tenant Deployment <minio-k8s-deploy-minio-tenant>.

  3. Assign Policies to OIDC Users

    MinIO by default assigns no policies <minio-policy> to OIDC users. MinIO uses the specified user Claim to identify one or more policies to attach to the authenticated user. If the Claim is empty or specifies policies which do not exist on the deployment, the authenticated user has no permissions on the Tenant.

    The following example assumes an existing alias <alias> configured for the MinIO Tenant.

    Consider the following example policy that grants general S3 API access on only the data bucket:

    {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:*"
         ],
         "Resource": [
            "arn:aws:s3:::data",
            "arn:aws:s3:::data/*"
         ]
      }
   ]
}

    Use the mc admin policy create command to create a policy for use by an OIDC user:

    mc admin policy create minio-tenant datareadonly /path/to/datareadonly.json

    MinIO attaches the datareadonly policy to any authenticated OIDC user with datareadonly included in the configured claim.

    See minio-external-identity-management-openid-access-control for more information on access control with OIDC users and groups.

  4. Generate S3-Compatible Temporary Credentials using OIDC Credentials

    Applications can generate temporary access credentials as-needed using the minio-sts-assumerolewithwebidentity Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the OIDC (OpenID Connect) provider.

    The application must provide a workflow for logging into the OIDC (OpenID Connect) provider and retrieving the JSON Web Token (JWT) associated to the authentication session. Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication. MinIO provides an example Go application web-identity.go <minio/blob/master/docs/sts/web-identity.go> with an example of managing this workflow.

    Once the application retrieves the JWT token, use the AssumeRoleWithWebIdentity endpoint to generate the temporary credentials:

    POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
&WebIdentityToken=TOKEN
&Version=2011-06-15
&DurationSeconds=86400
&Policy=Policy
    • Replace minio.example.net with the hostname or URL of the MinIO Tenant service.
    • Replace the TOKEN with the JWT token returned in the previous step.
    • Replace the DurationSeconds with the duration in seconds until the temporary credentials expire. The example above specifies a period of 86400 seconds, or 24 hours.
    • Replace the Policy with an inline URL-encoded JSON policy <minio-policy> that further restricts the permissions associated to the temporary credentials.

    Omit to use the policy associated to the OpenID user policy claim <minio-external-identity-management-openid-access-control>.

    The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.

    See the minio-sts-assumerolewithwebidentity for reference documentation.