mc admin policy
Table of Contents
The mc admin policy
command manages policies for use with MinIO
Policy-Based Access Control (PBAC). MinIO PBAC uses IAM-compatible policy JSON
documents to define rules for accessing resources on a MinIO server.
For complete documentation on MinIO PBAC, including policy document JSON structure and syntax, see Access Management.
The following example uses the default myminio
alias. The myminio
alias points to a local minio
server running on port 9000
. See
<installation instructions> for more information on installing and running
a local minio
server instance.
See mc alias
for more information on aliases.
Consider the following JSON policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
The following mc admin policy add
command creates a new policy
listbucketsonly
on the myminio
MinIO deployment using the
example JSON policy document:
mc admin policy add myminio listbucketsonly /path/to/listbucketsonly.json
You can associate the new listbucketsonly
policy to users or groups on the
myminio
deployment using the mc admin policy set
command.
The following example uses the default myminio
alias. The myminio
alias points to a local minio
server running on port 9000
. See
<installation instructions> for more information on installing and running
a local minio
server instance.
See mc alias
for more information on aliases.
The following mc admin policy list
command lists the available
policies on the myminio
MinIO deployment:
mc admin policy list myminio
The command returns output that resembles the following:
readwrite
writeonly
To retrieve information on a specific policy, use the
mc admin policy info
command:
mc admin policy info myminio writeonly
The command returns output that resembles the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
The following example uses the default myminio
alias. The myminio
alias points to a local minio
server running on port 9000
. See
<installation instructions> for more information on installing and running
a local minio
server instance.
See mc alias
for more information on aliases.
The following mc admin policy remove
command removes a policy
on the myminio
MinIO deployment:
mc admin policy remove myminio listbucketsonly
The following example uses the default myminio
alias. The myminio
alias points to a local minio
server running on port 9000
. See
<installation instructions> for more information on installing and running
a local minio
server instance.
See mc alias
for more information on aliases.
Use the mc admin user list
command to return a list of
users on the target MinIO deployment.
Use the mc admin group list
command to return a list of
users on the target MinIO deployment.
The following mc admin policy set
command associates the
listbucketsonly
policy to a user on the myminio
MinIO deployment.
Replace the <USER>
with the name of a user that exists on the deployment.
mc admin policy set --myminio listbucketsonly user=<USER>
The following mc admin policy set
command associates the
listbucketsonly
policy to a group on the myminio
MinIO deployment.
Replace the <GROUP>
with the name of a user that exists on the deployment.
mc admin policy set --myminio listbucketsonly group=<GROUP>
Creates a new policy on the target MinIO deployment. The command has the following syntax:
mc admin policy add TARGET POLICYNAME POLICYPATH
The mc admin policy add
command accepts the following arguments:
The alias
of a configured MinIO deployment on which
to add the new policy.
The name of the policy to add.
Specifying the name of an existing policy overwrites that policy on the
TARGET
MinIO deployment.
The file path to the policy to add. The file must be a JSON-formatted file with IAM-compatible syntax.
Lists all policies on the target MinIO deployment. The command has the following syntax:
mc admin policy list TARGET
For example, the following command lists all policies on the
myminio
MinIO deployment:
mc admin policy list play
The mc admin policy list
command accepts the following arguments:
The alias
of a configured MinIO deployment from which
the command lists the available policies.
Returns the specified policy in JSON format if it exists on the target MinIO deployment. The command has the following syntax:
mc admin policy info TARGET POLICYNAME
mc admin policy info
accepts the following arguments:
The alias
of a configured MinIO deployment from
which the command returns information on the specified policy.
Applies an existing policy to a user or group on the
target MinIO deployment. mc admin policy set
overwrites the
existing policy associated to the user or group.
The command has the following syntax:
mc admin policy set TARGET POLICYNAME[,POLICYNAME,...] [ user=USERNAME | group=GROUPNAME ]
The command accepts the following arguments:
The alias
of a configured MinIO deployment on which
the command associates the POLICYNAME
to the --user
or
--group
.
The name of the policy which the command associates to the specified
--user
or
--group
. Specify multiple policies
as a comma-separated list.
MinIO deployments include the following built-in policies policies by default:
The name of the user to which the command associates the
POLICYNAME
.
Mutually exclusive with --group
The name of the group to which the command associates the
POLICYNAME
. All users with membership in
the group inherit the policies associated to the group.
Mutually exclusive with --user
This command removes an existing policy from the target MinIO deployment. The command has the following syntax:
mc admin policy remove TARGET POLICYNAME
The command accepts the following arguments:
The alias
of a configured MinIO deployment on which
the command removes the POLICYNAME
.
The name of the policy which the command removes from the
TARGET
deployment.
This work is licensed under a Creative Commons Attribution 4.0 International License.
©2020-Present, MinIO, Inc.