Welcome to the upcoming version of the MinIO Documentation! The content on this page is under active development and may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

mc admin policy

Description

The mc admin policy command manages policies for use with MinIO Policy-Based Access Control (PBAC). MinIO PBAC uses IAM-compatible policy JSON documents to define rules for accessing resources on a MinIO server.

For complete documentation on MinIO PBAC, including policy document JSON structure and syntax, see Access Management.

Examples

Create a Policy

The following example uses the default myminio alias. The myminio alias points to a local minio server running on port 9000. See <installation instructions> for more information on installing and running a local minio server instance.

See mc alias for more information on aliases.

Consider the following JSON policy document:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListAllMyBuckets"
         ],
         "Resource": [
            "arn:aws:s3:::*"
         ]
      }
   ]
}

The following mc admin policy add command creates a new policy listbucketsonly on the myminio MinIO deployment using the example JSON policy document:

mc admin policy add myminio listbucketsonly /path/to/listbucketsonly.json

You can associate the new listbucketsonly policy to users or groups on the myminio deployment using the mc admin policy set command.

List Available Policies

The following example uses the default myminio alias. The myminio alias points to a local minio server running on port 9000. See <installation instructions> for more information on installing and running a local minio server instance.

See mc alias for more information on aliases.

The following mc admin policy list command lists the available policies on the myminio MinIO deployment:

mc admin policy list myminio

The command returns output that resembles the following:

readwrite
writeonly

To retrieve information on a specific policy, use the mc admin policy info command:

mc admin policy info myminio writeonly

The command returns output that resembles the following:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:PutObject"
         ],
         "Resource": [
            "arn:aws:s3:::*"
         ]
      }
   ]
}

Remove a Policy

The following example uses the default myminio alias. The myminio alias points to a local minio server running on port 9000. See <installation instructions> for more information on installing and running a local minio server instance.

See mc alias for more information on aliases.

The following mc admin policy remove command removes a policy on the myminio MinIO deployment:

mc admin policy remove myminio listbucketsonly

Apply a Policy to a User or Group

The following example uses the default myminio alias. The myminio alias points to a local minio server running on port 9000. See <installation instructions> for more information on installing and running a local minio server instance.

See mc alias for more information on aliases.

  • Use the mc admin user list command to return a list of users on the target MinIO deployment.

  • Use the mc admin group list command to return a list of users on the target MinIO deployment.

The following mc admin policy set command associates the listbucketsonly policy to a user on the myminio MinIO deployment. Replace the <USER> with the name of a user that exists on the deployment.

mc admin policy set myminio listbucketsonly user=<USER>

The following mc admin policy set command associates the listbucketsonly policy to a group on the myminio MinIO deployment. Replace the <GROUP> with the name of a user that exists on the deployment.

mc admin policy set myminio listbucketsonly group=<GROUP>

Syntax

mc admin policy add

Creates a new policy on the target MinIO deployment. The command has the following syntax:

mc admin policy add TARGET POLICYNAME POLICYPATH

The mc admin policy add command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which to add the new policy.

POLICYNAME

The name of the policy to add.

Specifying the name of an existing policy overwrites that policy on the TARGET MinIO deployment.

POLICYPATH

The file path to the policy to add. The file must be a JSON-formatted file with IAM-compatible syntax.

mc admin policy list

Lists all policies on the target MinIO deployment. The command has the following syntax:

mc admin policy list TARGET

For example, the following command lists all policies on the myminio MinIO deployment:

mc admin policy list play

The mc admin policy list command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment from which the command lists the available policies.

mc admin policy info

Returns the specified policy in JSON format if it exists on the target MinIO deployment. The command has the following syntax:

mc admin policy info TARGET POLICYNAME

mc admin policy info accepts the following arguments:

TARGET

The alias of a configured MinIO deployment from which the command returns information on the specified policy.

POLICYNAME

The name of the policy whose details the command returns.

mc admin policy set

Applies an existing policy to a user or group on the target MinIO deployment. mc admin policy set overwrites the existing policy associated to the user or group.

The command has the following syntax:

mc admin policy set TARGET POLICYNAME[,POLICYNAME,...] [ user=USERNAME | group=GROUPNAME ]

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which the command associates the POLICYNAME to the user or group.

POLICYNAME

The name of the policy which the command associates to the specified user or group. Specify multiple policies as a comma-separated list.

MinIO deployments include the following built-in policies policies by default:

user

The name of the user to which the command associates the POLICYNAME.

Mutually exclusive with group

group

The name of the group to which the command associates the POLICYNAME. All users with membership in the group inherit the policies associated to the group.

Mutually exclusive with user

mc admin policy remove

This command removes an existing policy from the target MinIO deployment. The command has the following syntax:

mc admin policy remove TARGET POLICYNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which the command removes the POLICYNAME.

POLICYNAME

The name of the policy which the command removes from the TARGET deployment.