docs/source/reference/minio-mc-admin/mc-admin-user.rst

mc admin user

minio

Table of Contents

mc admin user

Description

The mc admin user command manages users on a MinIO deployment. Clients must authenticate to the MinIO deployment with the access key and secret key associated to a user on the deployment. MinIO users constitute a key component in MinIO Identity and Access Management.

Use mc admin on MinIO Deployments Only

Users and Policy-Based Access Control

MinIO uses Policy-Based Access Control (PBAC) to support authorization of users who have successfully authenticated to the deployment. Each policy includes rules that dictate the allowed or denied actions/resources on the deployment. You can assign one or more policies <minio-policy> to a User. Users also inherit the policies of any groups of which they are members. A user's total set of permissions includes their explicitly assigned policies and any policies inherited via group membership.

Newly created users have no policies by default and therefore cannot perform any operations on the MinIO deployment. To configure a user's assigned policies, you can do either or both of the following:

• Use mc admin policy set to associate one or more policies to the user.
• Use mc admin group add to associate the user to the group. Users inherit any policies assigned to the group.

Each user's total set of permissions consists of their explicitly assigned permission and the inherited permissions from each of their assigned groups.

For more information on MinIO users and groups, see minio-users and minio-groups. For more information on MinIO policies, see MinIO Policy Based Access Control <minio-policy>.

Deny overrides Allow

MinIO follows the IAM standard where a Deny rule overrides Allow rule on the same action or resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account <reference_policies_evaluation-logic.html#policy-eval-denyallow>.

Examples

Create a New User

Use mc admin user add to create a user on an S3-compatible host:

mc admin user add ALIAS ACCESSKEY SECRETKEY

• Replace ALIAS <mc admin user add TARGET> with the alias <mc alias> of the S3-compatible host.
• Replace ACCESSKEY <mc admin user add ACCESSKEY> with the access key for the user. MinIO allows retrieving the access key after user creation through the mc admin user info command.
• Replace SECRETKEY <mc admin user add SECRETKEY> with the secret key for the user. MinIO does not provide any method for retrieving the secret key once set.

Specify a unique, random, and long string for both the ACCESSKEY and SECRETKEY. Your organization may have specific internal or regulatory requirements around generating values for use with access or secret keys.

List Available Users

Use mc admin user list to list all users on an S3-compatible host:

mc admin user list ALIAS 

• Replace ALIAS <mc admin user list TARGET> with the alias <mc alias> of the S3-compatible host.

mc admin user list does not return the access key or secret key associated to a user. Use mc admin user info to retrieve detailed user information, including the user access key.

View User Details

Use mc admin user info to view detailed user information on an S3-compatible host:

mc admin user info ALIAS USERNAME

• Replace ALIAS <mc admin user info TARGET> with the alias <mc alias> of the S3-compatible host.
• Replace USERNAME <mc admin user info USERNAME> with the name of the user.

Remove a User

Use mc admin user remove to remove a user from an S3-compatible host:

mc admin user remove ALIAS USERNAME

• Replace ALIAS <mc admin user remove TARGET> with the alias <mc alias> of the S3-compatible host.
• Replace USERNAME <mc admin user remove USERNAME> with the name of the user to remove.

Disable a User

Use mc admin user disable to disable a user on an S3-compatible host. Disabling a user prevents clients from authenticating to the S3 host with that user's credentials, but does not remove that user from the S3 host.

Use mc admin user enable to enable a disabled user on an S3-compatible host.

mc admin user disable ALIAS USERNAME

• Replace ALIAS <mc admin user disable TARGET> with the alias <mc alias> of the S3-compatible host.
• Replace USERNAME <mc admin user disable USERNAME> with the name of the user to disable.

Enable a User

Use mc admin user enable to enable a user on an S3-compatible host.

mc admin user enable ALIAS USERNAME

• Replace ALIAS <mc admin user enable TARGET> with the alias <mc alias> of the S3-compatible host.
• Replace USERNAME <mc admin user enable USERNAME> with the name of the user to enable.

Syntax

add

Adds new user to the target MinIO deployment. The command has the following syntax:

mc admin user add TARGET ACCESSKEY SECRETKEY

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which the command creates the new user.

ACCESSKEY

The access key that uniquely identifies the new user, similar to a username.

SECRETKEY

The secret key for the new user. Consider the following guidance when creating a secret key:

• The key should be unique
• The key should be long (Greater than 12 characters)
• The key should be complex (A mixture of characters, numerals, and symbols)

list

Lists all users on the target MinIO deployment. The command has the following syntax:

mc admin user list TARGET

The command accepts the following argument:

TARGET

The alias <mc alias> of a configured MinIO deployment from which the command lists users.

info

Returns detailed information of a user on the target MinIO deployment. The command has the following syntax:

mc admin user info TARGET USERNAME

The command accepts the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment from which the command retrieves the specified user information.

USERNAME

The name of the user whose information the command retrieves.

remove

Removes a user from the target MinIO deployment. The command has the following syntax:

mc admin user remove TARGET USERNAME

The command supports the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which the command removes the specified user.

USERNAME

The name of the user which the command removes.

disable

Disables a user on the target MinIO deployment. Clients cannot use the user credentials to authenticate to the MinIO deployment. Disabling a user does not remove that user from the deployment.

The command has the following syntax:

mc admin user disable TARGET USERNAME

The command supports the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which the command disables the specified user.

USERNAME

The name of the user to disable.

enable

Enables a user on the target deployment. Clients can only use enabled users to authenticate to the MinIO deployment. Users created using mc admin user add are enabled by default.

The command has the following syntax:

mc admin user enable TARGET USERNAME

The command supports the following arguments:

TARGET

The alias <mc alias> of a configured MinIO deployment on which the command enables the specified user.

USERNAME

The name of the user to enable.