docs/source/reference/minio-mc-admin/mc-admin-policy.rst

mc admin policy

minio

Table of Contents

mc admin policy

Description

The mc admin policy command manages policies for use with MinIO Policy-Based Access Control (PBAC). MinIO PBAC uses IAM-compatible policy JSON documents to define rules for accessing resources on a MinIO server.

For complete documentation on MinIO PBAC, including policy document JSON structure and syntax, see minio-access-management.

Examples

Create a Policy

Consider the following JSON policy document:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListAllMyBuckets"
         ],
         "Resource": [
            "arn:aws:s3:::*"
         ]
      }
   ]
}

The following mc admin policy add command creates a new policy listbucketsonly on the myminio MinIO deployment using the example JSON policy document:

mc admin policy add myminio listbucketsonly /path/to/listbucketsonly.json

You can associate the new listbucketsonly policy to users or groups on the myminio deployment using the mc admin policy set command.

List Available Policies

The following mc admin policy list command lists the available policies on the myminio MinIO deployment:

mc admin policy list myminio

The command returns output that resembles the following:

readwrite
writeonly

To retrieve information on a specific policy, use the mc admin policy info command:

mc admin policy info myminio writeonly

The command returns output that resembles the following:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:PutObject"
         ],
         "Resource": [
            "arn:aws:s3:::*"
         ]
      }
   ]
}

Remove a Policy

The following mc admin policy remove command removes a policy on the myminio MinIO deployment:

mc admin policy remove myminio listbucketsonly

Apply a Policy to a User or Group

• Use the mc admin user list command to return a list of users on the target MinIO deployment.
• Use the mc admin group list command to return a list of users on the target MinIO deployment.

The following mc admin policy set command associates the listbucketsonly policy to a user on the myminio MinIO deployment. Replace the <USER> with the name of a user that exists on the deployment.

mc admin policy set --myminio listbucketsonly user=<USER>

The following mc admin policy set command associates the listbucketsonly policy to a group on the myminio MinIO deployment. Replace the <GROUP> with the name of a user that exists on the deployment.

mc admin policy set --myminio listbucketsonly group=<GROUP>

Syntax

add

Creates a new policy on the target MinIO deployment. The command has the following syntax:

mc admin policy add TARGET POLICYNAME POLICYPATH

The mc admin policy add command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which to add the new policy.

POLICYNAME

The name of the policy to add.

Specifying the name of an existing policy overwrites that policy on the ~mc admin policy add TARGET MinIO deployment.

POLICYPATH

The file path to the policy to add. The file must be a JSON-formatted file with IAM-compatible syntax <reference_policies.html>.

list

Lists all policies on the target MinIO deployment. The command has the following syntax:

mc admin policy list TARGET

For example, the following command lists all policies on the myminio MinIO deployment:

mc admin policy list play

The mc admin policy list command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment from which the command lists the available policies.

info

Returns the specified policy in JSON format if it exists on the target MinIO deployment. The command has the following syntax:

mc admin policy info TARGET POLICYNAME

mc admin policy info accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment from which the command returns information on the specified policy.

POLICYNAME

The name of the policy whose details the command returns.

set

Applies an existing policy to a user or group on the target MinIO deployment. mc admin policy set overwrites the existing policy associated to the user or group.

The command has the following syntax:

mc admin policy set TARGET POLICYNAME[,POLICYNAME,...] [ user=USERNAME | group=GROUPNAME ]

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which the command associates the ~mc admin policy set POLICYNAME to the ~mc admin policy set --user or ~mc admin policy set --group.

POLICYNAME

The name of the policy which the command associates to the specified ~mc admin policy set --user or ~mc admin policy set --group. Specify multiple policies as a comma-separated list.

MinIO deployments include the following built-in policies <minio-policy-built-in> policies by default:

• readonly
• readwrite
• diagnostics
• writeonly

--user

The name of the user to which the command associates the ~mc admin policy set POLICYNAME.

Mutually exclusive with ~mc admin policy set --group

--group

The name of the group to which the command associates the ~mc admin policy set POLICYNAME. All users with membership in the group inherit the policies associated to the group.

Mutually exclusive with ~mc admin policy set --user

remove

This command removes an existing policy from the target MinIO deployment. The command has the following syntax:

mc admin policy remove TARGET POLICYNAME

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which the command removes the ~mc admin policy remove POLICYNAME.

POLICYNAME

The name of the policy which the command removes from the ~mc admin policy remove TARGET deployment.