1cfda2e9dc
Closes #639 Closes #635 Partially Addresses #590 - MINIO #16026 https://github.com/minio/minio/pull/16026 - MINIO #16044 https://github.com/minio/minio/pull/16044 - MINIO #16035 https://github.com/minio/minio/pull/16035 - CONSOLE #2428 https://github.com/minio/console/pull/2428 Other Fixes: - Removes admonition about IDP interactions (multi-IDP support) - Update Console screenshots and overview page to cover layout changes - Partial fix for DOCS #590 (Policy now under Identity section)
12 KiB
mc admin user svcacct
minio
Table of Contents
mc admin user svcacct
Description
The mc admin user svcacct command creates and manages Access Keys <minio-idp-service-account> on a
MinIO deployment.
Each access keys is linked to a user identity <minio-authentication-and-identity-management>
and inherits the policies <minio-policy> attached to it's parent
user or those groups in which the parent user has membership.
Each access key also supports an optional inline policy which further
restricts access to a subset of actions and resources available to the
parent user.
mc admin user svcacct
only supports creating access keys for MinIO-managed <minio-users> and Active Directory/LDAP-managed <minio-external-identity-management-ad-ldap>
accounts.
To create access keys for OpenID Connect-managed users <minio-external-identity-management-openid>,
log into the MinIO Console <minio-console> and generate the
access keys through the UI.
Use mc admin on MinIO Deployments Only
The mc admin user svcacct command has the following
subcommands:
| Subcommand | Description |
|---|---|
mc admin user svcacct add |
Adds a new access keys to an existing MinIO or AD/LDAP user |
mc admin user svcacct list |
Lists the existing access keys associated to a MinIO or AD/LDAP user. |
mc admin user svcacct remove |
Removes a access keys from a MinIO or AD/LDAP user. |
mc admin user svcacct info |
Returns detailed information on a access keys. |
mc admin user svcacct edit |
Modifies the secret key or inline policy associated with a access keys. |
mc admin user svcacct enable |
Enables a access keys. |
mc admin user svcacct disable |
Disables a access keys. |
Syntax
add
Adds a new access keys associated to the specified user.
EXAMPLE
The following command creates a new access keys associated to an existing MinIO user:
mc admin user svcacct add \
--access-key "myuserserviceaccount" \
--secret-key "myuserserviceaccountpassword" \
--policy "/path/to/policy.json" \
myminio myuserSYNTAX
The command has the following syntax:
mc [GLOBALFLAGS] admin user svcacct add \
[--access-key] \
[--secret-key] \
[--policy] \
ALIAS
USERALIAS
The alias <alias> of the MinIO deployment.
USER
The name of the user to which MinIO adds the new access keys.
- For
MinIO-managed users <minio-users>, specify the access key for the user. - For
Active Directory/LDAP users <minio-external-identity-management-ad-ldap>, specify the Distinguished Name of the user. - For
OpenID Connect users <minio-external-identity-management-openid>, use theMinIO Console <minio-console>to generate access keys.
--access-key
The access key to associate with the new access keys. Omit to direct MinIO to autogenerate the access key for the new access keys.
Access Key names must be unique across all users.
--secret-key
The secret key to associate with the new access keys. Omit to direct MinIO to autogenerate the secret key for the new access keys.
--policy
The path to a policy document <minio-policy> to attach to the
new access keys. The attached policy cannot grant access to any action
or resource not explicitly allowed by the parent user's policies.
list
Lists all access keys associated to the specified user.
EXAMPLE
The following command lists all access keys associated to an existing MinIO user:
mc admin user svcacct list myminio myuserSYNTAX
The command has the following syntax:
mc [GLOBALFLAGS] admin user svcacct list \
ALIAS \
USERALIAS
The alias <alias> of the MinIO deployment.
USER
The name of the user to which MinIO adds the new access keys.
- For
MinIO-managed users <minio-users>, specify the access key for the user. - For
Active Directory/LDAP users <minio-external-identity-management-ad-ldap>, specify the Distinguished Name of the user. - For
OpenID Connect users <minio-external-identity-management-openid>, use theMinIO Console <minio-console>to list access keys.
remove
Removes a access keys associated to the specified user. Applications can no longer authenticate using that access keys after removal.
EXAMPLE
The following command removes the specified access keys:
mc admin user svcacct remove myminio myuserserviceaccountSYNTAX
The command has the following syntax:
mc [GLOBALFLAGS] admin user svcacct remove \
ALIAS \
SERVICEACCOUNTALIAS
The alias <alias> of the MinIO deployment.
SERVICEACCOUNT
The access key for the access keys to remove.
info
Returns a description of a access keys associated to the specified user. The description includes the parent user of the specified access keys, its status, and whether the access keys has an assigned inline policy.
EXAMPLE
The following command returns detailed information on the specified access keys:
mc admin user svcacct info --policy myminio myuserserviceaccountSYNTAX
The command has the following syntax:
mc [GLOBALFLAGS] admin user svcacct info \
[--policy] \
ALIAS \
SERVICEACCOUNTALIAS
The alias <alias> of the MinIO deployment.
SERVICEACCOUNT
The access key for the access keys to remove.
--policy
Returns the policy attached to the access keys in JSON format. The
output is null if the access keys has no attached
policy.
edit
Modifies the configuration of a access keys associated to the specified user.
EXAMPLE
The following command modifies the specified access keys:
mc admin user svcacct edit \
--secret-key "myuserserviceaccountnewsecretkey" \
--policy "/path/to/new/policy.json" \
myminio myuserserviceaccountSYNTAX
The command has the following syntax:
mc [GLOBALFLAGS] admin user svcacct edit \
[--secret-key] \
[--policy] \
ALIAS \
SERVICEACCOUNTALIAS
The alias <alias> of the MinIO deployment.
SERVICEACCOUNT
The access key for the access keys to modify.
--secret-key
The secret key to associate with the new access keys. Overwrites the previous secret key. Applications using the access keys must update to use the new credentials to continue performing operations.
--policy
The path to a policy document <minio-policy> to attach to the
new access keys. The attached policy cannot grant access to any action
or resource not explicitly allowed by the parent user's policies.
The new policy overwrites any previously attached policy.
enable
Enables a access keys for the specified user. Applications can only authenticate using enabled access keys.
EXAMPLE
The following command enables the specified access keys:
mc admin user svcacct enable myminio myuserserviceaccountSYNTAX
The command has the following syntax:
mc [GLOBALFLAGS] admin user svcacct enable \
ALIAS \
SERVICEACCOUNTALIAS
The alias <alias> of the MinIO deployment.
SERVICEACCOUNT
The access key for the access keys to enable.
disable
Disables a access keys for the specified user. Applications can only authenticate using enabled access keys.
EXAMPLE
The following command disables the specified access keys:
mc admin user svcacct disable myminio myuserserviceaccountSYNTAX
The command has the following syntax:
mc [GLOBALFLAGS] admin user svcacct disable \
ALIAS \
SERVICEACCOUNTALIAS
The alias <alias> of the MinIO deployment.
SERVICEACCOUNT
The access key for the access keys to disable.