mc admin user
Table of Contents
The mc admin user
command manages users on a MinIO deployment. Clients
must authenticate to the MinIO deployment with the access key and secret key
associated to a user on the deployment. MinIO users constitue a key component in
MinIO Identity and Access Management.
Use mc admin
on MinIO Deployments Only
MinIO does not support using mc admin
commands with other
S3-compatible services, regardless of their claimed compatibility with MinIO
deployments.
MinIO uses Policy-Based Access Control (PBAC) to support authorization of users who have successfully authenticated to the deployment. Each policy includes rules that dictate the allowed or denied actions/resources on the deployment. You can assign one or more policies to a User. Users also inherit the policies of any groups of which they are members. A user’s total set of permissions includes their explicitly assigned policies and any policies inherited via group membership.
Newly created users have no policies by default and therefore cannot perform any operations on the MinIO deployment. To configure a user’s assigned policies, you can do either or both of the following:
Use mc admin policy set
to associate one or more policies to
the user.
Use mc admin group add
to associate the user to the group. Users
inherit any policies assigned to the group.
Each user’s total set of permissions consists of their explicitly assigned permission and the inherited permissions from each of their assigned groups.
For more information on MinIO users and groups, see User Management and Group Management. For more information on MinIO policies, see MinIO Policy Based Access Control.
Deny
overrides Allow
MinIO follows the IAM standard where a Deny
rule overrides Allow
rule
on the same action or resource. For example, if a user has an explicitly
assigned policy with an Allow
rule for an action/resource while one of
its groups has an assigned policy with a Deny
rule for that
action/resource, MinIO would apply only the Deny
rule.
For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.
Use mc admin user add
to create a user on an S3-compatible host:
mc admin user add ALIAS ACCESSKEY SECRETKEY
Replace ACCESSKEY
with the
access key for the user. MinIO allows retrieving the access key after
user creation through the mc admin user info
command.
Replace SECRETKEY
with the
secret key for the user. MinIO does not provide any method for retrieving
the secret key once set.
Specify a unique, random, and long string for both the ACCESSKEY
and
SECRETKEY
. Your organization may have specific internal or regulatory
requirements around generating values for use with access or secret keys.
Use mc admin user list
to list all users on an S3-compatible host:
mc admin user list ALIAS
mc admin user list
does not return the access key or secret key
associated to a user. Use mc admin user info
to retrieve detailed
user information, including the user access key.
Use mc admin user info
to view detailed user information on an
S3-compatible host:
mc admin user info ALIAS USERNAME
Use mc admin user remove
to remove a user from an S3-compatible host:
mc admin user remove ALIAS USERNAME
Use mc admin user disable
to disable a user on an S3-compatible host.
Disabling a user prevents clients from authenticating to the S3 host with that
user’s credentials, but does not remove that user from the S3 host.
Use mc admin user enable
to enable a disabled user on an S3-compatible
host.
mc admin user disable ALIAS USERNAME
Use mc admin user enable
to enable a user on an S3-compatible
host.
mc admin user enable ALIAS USERNAME
Adds new user to the target MinIO deployment. The command has the following syntax:
mc admin user add TARGET ACCESSKEY SECRETKEY
The command accepts the following arguments:
The alias
of a configured MinIO deployment on which
the command creates the new user.
Lists all users on the target MinIO deployment. The command has the following syntax:
mc admin user list TARGET
The command accepts the following argument:
The alias
of a configured MinIO deployment from which
the command lists users.
Returns detailed information of a user on the target MinIO deployment. The command has the following syntax:
mc admin user info TARGET USERNAME
The command accepts the following arguments:
The alias
of a configured MinIO deployment from
which the command retrieves the specified user information.
Removes a user from the target MinIO deployment. The command has the following syntax:
mc admin user remove TARGET USERNAME
The command supports the following arguments:
The alias
of a configured MinIO deployment on which
the command removes the specified user.
Disables a user on the target MinIO deployment. Clients cannot use the user credentials to authenticate to the MinIO deployment. Disabling a user does not remove that user from the deployment.
The command has the following syntax:
mc admin user disable TARGET USERNAME
The command supports the following arguments:
The alias
of a configured MinIO deployment on which
the command disables the specified user.
Enables a user on the target deployment. Clients can only use enabled
users to authenticate to the MinIO deployment. Users created using
mc admin user add
are enabled by default.
The command has the following syntax:
mc admin user enable TARGET USERNAME
The command supports the following arguments:
The alias
of a configured MinIO deployment on which
the command enables the specified user.
This work is licensed under a Creative Commons Attribution 4.0 International License.
©2020-Present, MinIO, Inc.