Product
Hybrid Cloud Object Storage Hybrid Cloud Object Storage
Overview Architecture
Baremetal Baremetal
Overview Architecture
Erasure Code Calculator Erasure Code Calculator Reference Hardware Reference Hardware
Features
Active Active Replication Identity & Access Management Encryption Bucket & Object Immutability Bucket & Object Versioning Data Life Cycle Management & Tiering Automated Data Management Interfaces Monitoring Scalability
Native Versions
MinIO for VMware Tanzu MinIO for OpenShift MinIO for Amazon Elastic Kubernetes Service MinIO for Azure Kubernetes Service MinIO for Google Kubernetes Engine
Docs
MinIO Baremetal MinIO Object Storage for Baremetal Infrastructure MinIO Hybrid Cloud MinIO Object Storage for Kubernetes-Managed Private and Public Cloud Infrastructure MinIO for VMware Cloud Foundation MinIO Object Storage for VMware Cloud Foundation 4.2 MinIO Legacy Documentation Legacy Documentation for MinIO Object Storage
Solutions
VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKGI and how we support their Kubernetes ambitions. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Azure to AWS S3 Gateway Learn how MinIO allows Azure Blob to speak Amazon’s S3 API HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. Teradata Discover why MinIO is the Native Object Store (NOS) of choice for at-scale Teradata deployments Integrations Browse our vast portfolio of integrations
Resources Blog Pricing Download

Welcome to the upcoming version of the MinIO Documentation! The content on this page is under active development and may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

mc admin user

Description

The mc admin user command manages users on a MinIO deployment. Clients must authenticate to the MinIO deployment with the access key and secret key associated to a user on the deployment. MinIO users constitue a key component in MinIO Identity and Access Management.

Use mc admin on MinIO Deployments Only

MinIO does not support using mc admin commands with other S3-compatible services, regardless of their claimed compatibility with MinIO deployments.

Users and Policy-Based Access Control

MinIO uses Policy-Based Access Control (PBAC) to support authorization of users who have successfully authenticated to the deployment. Each policy includes rules that dictate the allowed or denied actions/resources on the deployment. You can assign one or more policies to a User. Users also inherit the policies of any groups of which they are members. A user’s total set of permissions includes their explicitly assigned policies and any policies inherited via group membership.

Newly created users have no policies by default and therefore cannot perform any operations on the MinIO deployment. To configure a user’s assigned policies, you can do either or both of the following:

Each user’s total set of permissions consists of their explicitly assigned permission and the inherited permissions from each of their assigned groups.

For more information on MinIO users and groups, see User Management and Group Management. For more information on MinIO policies, see MinIO Policy Based Access Control.

Deny overrides Allow

MinIO follows the IAM standard where a Deny rule overrides Allow rule on the same action or resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.

Examples

Create a New User

Use mc admin user add to create a user on an S3-compatible host:

   mc admin user add ALIAS ACCESSKEY SECRETKEY

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace ACCESSKEY with the access key for the user. MinIO allows retrieving the access key after user creation through the mc admin user info command.

  • Replace SECRETKEY with the secret key for the user. MinIO does not provide any method for retrieving the secret key once set.

Specify a unique, random, and long string for both the ACCESSKEY and SECRETKEY. Your organization may have specific internal or regulatory requirements around generating values for use with access or secret keys.

List Available Users

Use mc admin user list to list all users on an S3-compatible host:

mc admin user list ALIAS

  • Replace ALIAS with the alias of the S3-compatible host.

mc admin user list does not return the access key or secret key associated to a user. Use mc admin user info to retrieve detailed user information, including the user access key.

View User Details

Use mc admin user info to view detailed user information on an S3-compatible host:

mc admin user info ALIAS USERNAME

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace USERNAME with the name of the user.

Remove a User

Use mc admin user remove to remove a user from an S3-compatible host:

mc admin user remove ALIAS USERNAME

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace USERNAME with the name of the user to remove.

Disable a User

Use mc admin user disable to disable a user on an S3-compatible host. Disabling a user prevents clients from authenticating to the S3 host with that user’s credentials, but does not remove that user from the S3 host.

Use mc admin user enable to enable a disabled user on an S3-compatible host.

mc admin user disable ALIAS USERNAME

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace USERNAME with the name of the user to disable.

Enable a User

Use mc admin user enable to enable a user on an S3-compatible host.

mc admin user enable ALIAS USERNAME

  • Replace ALIAS with the alias of the S3-compatible host.

  • Replace USERNAME with the name of the user to enable.

Syntax

mc admin user add

Adds new user to the target MinIO deployment. The command has the following syntax:

mc admin user add TARGET ACCESSKEY SECRETKEY

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment on which the command creates the new user.

ACCESSKEY

The access key that uniquely identifies the new user, similar to a username.

SECRETKEY

The secret key for the new user. Consider the following guidance when creating a secret key:

  • The key should be unique

  • The key should be long (Greater than 12 characters)

  • The key should be complex (A mixture of characters, numerals, and symbols)

mc admin user list

Lists all users on the target MinIO deployment. The command has the following syntax:

mc admin user list TARGET

The command accepts the following argument:

TARGET

The alias of a configured MinIO deployment from which the command lists users.

mc admin user info

Returns detailed information of a user on the target MinIO deployment. The command has the following syntax:

mc admin user info TARGET USERNAME

The command accepts the following arguments:

TARGET

The alias of a configured MinIO deployment from which the command retrieves the specified user information.

USERNAME

The name of the user whose information the command retrieves.

remove

Removes a user from the target MinIO deployment. The command has the following syntax:

mc admin user remove TARGET USERNAME

The command supports the following arguments:

TARGET

The alias of a configured MinIO deployment on which the command removes the specified user.

USERNAME

The name of the user which the command removes.

mc admin user disable

Disables a user on the target MinIO deployment. Clients cannot use the user credentials to authenticate to the MinIO deployment. Disabling a user does not remove that user from the deployment.

The command has the following syntax:

mc admin user disable TARGET USERNAME

The command supports the following arguments:

TARGET

The alias of a configured MinIO deployment on which the command disables the specified user.

USERNAME

The name of the user to disable.

mc admin user enable

Enables a user on the target deployment. Clients can only use enabled users to authenticate to the MinIO deployment. Users created using mc admin user add are enabled by default.

The command has the following syntax:

mc admin user enable TARGET USERNAME

The command supports the following arguments:

TARGET

The alias of a configured MinIO deployment on which the command enables the specified user.

USERNAME

The name of the user to enable.

This work is licensed under a Creative Commons Attribution 4.0 International License.

©2020-Present, MinIO, Inc.

Creative Commons License