7.2 KiB
Deploy MinIO Tenant with OpenID Connect Identity Management
1) Access the Operator Console
Use the kubectl minio proxy command to temporarily forward
traffic between the local host machine and the MinIO Operator
Console:
kubectl minio proxyThe command returns output similar to the following:
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: TOKENOpen your browser to the specified URL and enter the JWT Token into
the login page. You should see the Tenants page:
Click the + Create Tenant to start creating a MinIO
Tenant.
If you are modifying an existing Tenant, select that Tenant from the list. The following steps reference the necessary sections and configuration settings for existing Tenants.
2) Complete the Identity Provider
Section
To enable external identity management with an OIDC select the Identity Provider
section. You can then change the radio button to OIDC to display the
configuration settings.
An asterisk * marks required fields. The following table
provides general guidance for those fields:
| Field | Description |
|---|---|
| Configuration URL | The hostname of the OpenID
.well-known/openid-configuration file. |
Client ID Secret ID |
The Client and Secret ID MinIO uses when authenticating OIDC user credentials against OIDC service. |
| Claim Name | The OIDC Claim MinIO uses for identifying the policies <minio-policy>
to attach to the authenticated user. |
Once you complete the section, you can finish any other required
sections of Tenant Deployment <minio-k8s-deploy-minio-tenant>.
3) Assign Policies to OIDC Users
MinIO by default assigns no policies <minio-policy> to OIDC users. MinIO
uses the specified user Claim to identify one or more policies to attach
to the authenticated user. If the Claim is empty or specifies policies
which do not exist on the deployment, the authenticated user has no
permissions on the Tenant.
The following example assumes an existing alias <alias>
configured for the MinIO Tenant. See the Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>
procedure for a basic example of granting network access to the MinIO
tenant from your local host machine.
Consider the following example policy that grants general S3 API
access on only the data bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::data",
"arn:aws:s3:::data/*"
]
}
]
}Use the mc admin policy add command to create a policy for
use by an OIDC user:
mc admin policy add minio-tenant datareadonly /path/to/datareadonly.jsonMinIO attaches the datareadonly policy to any
authenticated OIDC user with datareadonly included in the
configured claim.
See minio-external-identity-management-openid-access-control
for more information on access control with OIDC users and groups.
4) Use the MinIO Tenant Console to Log In with OIDC Credentials
The MinIO Console supports the full workflow of authenticating to the
OIDC provider, generating temporary credentials using the MinIO minio-sts-assumerolewithldapidentity Security Token
Service (STS) endpoint, and logging the user into the MinIO
deployment.
See the Deploy MinIO Tenant: Access the Tenant's MinIO Console <create-tenant-cli-access-tenant-console>
for instructions on accessing the Tenant Console.
If the OIDC configuration succeeded, the Console displays a button to login with OIDC credentials.
Enter the user's OIDC credentials and log in to access the Console.
Once logged in, you can perform any action for which the
authenticated user is authorized <minio-external-identity-management-openid-access-control>.
You can also create service accounts <minio-idp-service-account> for
supporting applications which must perform operations on MinIO. Service
accounts are long-lived credentials which inherit their privileges from
the parent user. The parent user can further restrict those privileges
while creating the service account.
5) Generate S3-Compatible Temporary Credentials using OIDC Credentials
Applications can generate temporary access credentials as-needed
using the minio-sts-assumerolewithwebidentity Security Token
Service (STS) API endpoint and the JSON Web Token (JWT) returned by the
OIDC (OpenID Connect)
provider.
The application must provide a workflow for logging into the OIDC (OpenID Connect)
provider and retrieving the JSON Web Token (JWT) associated to the
authentication session. Defer to the provider documentation for
obtaining and parsing the JWT token after successful authentication.
MinIO provides an example Go application web-identity.go <minio/blob/master/docs/sts/web-identity.go>
with an example of managing this workflow.
Once the application retrieves the JWT token, use the
AssumeRoleWithWebIdentity endpoint to generate the
temporary credentials:
POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
&WebIdentityToken=TOKEN
&Version=2011-06-15
&DurationSeconds=86400
&Policy=PolicyReplace
minio.example.netwith the hostname or URL of the MinIO Tenant service.Replace the
TOKENwith the JWT token returned in the previous step.Replace the
DurationSecondswith the duration in seconds until the temporary credentials expire. The example above specifies a period of86400seconds, or 24 hours.Replace the
Policywith an inline URL-encoded JSONpolicy <minio-policy>that further restricts the permissions associated to the temporary credentials.Omit to use the policy associated to the OpenID user
policy claim <minio-external-identity-management-openid-access-control>.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.
See the minio-sts-assumerolewithwebidentity for reference
documentation.