mc admin user svcacct

Table of Contents

Description

The mc admin user svcacct command creates and manages Service Accounts on a MinIO deployment.

Each service account is linked to a user identity and inherits the policies attached to it’s parent user or those groups in which the parent user has membership. Service accounts also support an optional inline policy which further restricts access to a subset of actions and resources available to the parent user.

mc admin user svcacct only supports creating service accounts for MinIO-managed and Active Directory/LDAP-managed accounts.

To create service accounts for OpenID Connect-managed users, log into the MinIO Console and generate the service account through the UI.

Use mc admin on MinIO Deployments Only

MinIO does not support using mc admin commands with other S3-compatible services, regardless of their claimed compatibility with MinIO deployments.

The mc admin user svcacct command has the following subcommands:

Subcommand

Description

mc admin user svcacct add

Adds a new service account to an existing MinIO or AD/LDAP user

mc admin user svcacct list

Lists the existing service accounts associated to a MinIO or AD/LDAP user.

mc admin user svcacct remove

Removes a service account from a MinIO or AD/LDAP user.

mc admin user svcacct info

Returns detailed information on a service account.

mc admin user svcacct edit

Modifies the secret key or inline policy associated with a service account.

mc admin user svcacct enable

Enables a service account.

mc admin user svcacct disable

Disables a service account.

Syntax

mc admin user svcacct add

Adds a new service account associated to the specified user.

The following command creates a new service account associated to an existing MinIO user:

mc admin user svcacct add                       \
   --access-key "myuserserviceaccount"          \
   --secret-key "myuserserviceaccountpassword"  \
   --policy "/path/to/policy.json"              \
   myminio myuser

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct add     \
                            [--access-key]  \
                            [--secret-key]  \
                            [--policy]      \
                            ALIAS
                            USER
ALIAS
Required

The alias of the MinIO deployment.

USER
Required

The name of the user to which MinIO adds the new service account.

--access-key
Optional

The access key to associate with the new service account. Omit to direct MinIO to autogenerate the access key for the new service account.

Service account names must be unique across all users.

--secret-key
Optional

The secret key to associate with the new service account. Omit to direct MinIO to autogenerate the secret key for the new service account.

--policy
Optional

The path to a policy document to attach to the new service account. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user’s policies.

mc admin user svcacct list, ls

Lists all service accounts associated to the specified user.

The following command lists all service accounts associated to an existing MinIO user:

mc admin user svcacct list myminio myuser

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct list  \
                            ALIAS         \
                            USER
ALIAS
Required

The alias of the MinIO deployment.

USER
Required

The name of the user to which MinIO adds the new service account.

mc admin user svcacct remove, rm

Removes a service account associated to the specified user. Applications can no longer authenticate using that service account after removal.

The following command removes the specified service account:

mc admin user svcacct remove myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct remove   \
                            ALIAS            \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the service account to remove.

mc admin user svcacct info

Returns a description of a service account associated to the specified user. The description includes the parent user of the specified service account, its status, and whether the service account has an assigned inline policy.

The following command returns detailed information on the specified service account:

mc admin user svcacct info --policy myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct info    \
                            [--policy]      \
                            ALIAS           \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the service account to remove.

--policy
Optional

Returns the policy attached to the service account in JSON format. The output is null if the service account has no attached policy.

mc admin user svcacct edit, set

Modifies the configuration of a service account associated to the specified user.

The following command modifies the specified service account:

mc admin user svcacct edit                                             \
                      --secret-key "myuserserviceaccountnewsecretkey"  \
                      --policy "/path/to/new/policy.json"              \
                      myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct edit    \
                            [--secret-key]  \
                            [--policy]      \
                            ALIAS           \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the service account to modify.

--secret-key
Optional

The secret key to associate with the new service account. Overwrites the previous secret key. Applications using the service account must update to use the new credentials to continue performing operations.

--policy
Optional

The path to a policy document to attach to the new service account. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user’s policies.

The new policy overwrites any previously attached policy.

mc admin user svcacct enable

Enables a service account for the specified user. Applications can only authenticate using enabled service accounts.

The following command enables the specified service account:

mc admin user svcacct enable myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct enable  \
                            ALIAS           \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the service account to enable.

mc admin user svcacct disable

Disables a service account for the specified user. Applications can only authenticate using enabled service accounts.

The following command disables the specified service account:

mc admin user svcacct disable myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct disable  \
                            ALIAS            \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the service account to disable.

Global Flags

--debug
Optional

Enables verbose output to the console.

For example:

mc --debug COMMAND
--config-dir
Optional

The path to a JSON formatted configuration file that mc uses for storing data. See Configuration File for more information on how mc uses the configuration file.

--JSON
Optional

Enables JSON lines formatted output to the console.

For example:

mc --JSON COMMAND
--no-color
Optional

Disables the built-in color theme for console output. Useful for dumb terminals.

--quiet
Optional

Suppresses console output.

--insecure
Optional

Disables TLS/SSL certificate verification. Allows TLS connectivity to servers with invalid certificates. Exercise caution when using this option against untrusted S3 hosts.

--version
Optional

Displays the current version of mc.

--help
Optional

Displays a summary of command usage on the terminal.