Welcome to the upcoming version of the MinIO Documentation! The content on this page is under active development and may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

Policies

Overview

A policy is a document that describes the resources and operations to which a MinIO user or the members of a group have access.

MinIO uses Policy-Based Access Control (PBAC) to define the authorized resources and operations to which a user or members of a group have access.

MinIO by default denies access to any resource or operation not explicitly allowed by a user’s assigned or inherited policies.

MinIO PBAC uses AWS IAM-compatible JSON syntax for defining policies. For example, MinIO can use IAM policies designed for use with AWS S3 or S3-compatible services.

The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the IAM documentation for more complete documentation on IAM, IAM policies, or IAM JSON syntax.

Built-In Policies

MinIO provides the following built-in policies for assigning to users or groups:

readonly

Grants read-only permissions for all buckets and objects on the MinIO server.

readwrite

Grants read and write permissions for all buckets and objects on the MinnIO server.

diagnostics

Grants permission to perform diagnostic actions on the MinIO server.

writeonly

Grants write-only permissions for all buckets and objects on the MinIO server.

Use mc admin policy set to associate a policy to a user or group on a MinIO deployment.

Policy Document Structure

MinIO policy documents use the same schema as AWS IAM Policy documents.

The following sample document provides a template for creating custom policies for use with a MinIO deployment. For more complete documentation on IAM policy elements, see the IAM JSON Policy Elements Reference.

{
   "Version" : "2012-10-17",
   "Statement" : [
      {
         "Effect" : "Allow",
         "Action" : [ "s3:<ActionName>", ... ],
         "Resource" : "arn:minio:s3:::*",
         "Condition" : { ... }
      },
      {
         "Effect" : "Deny",
         "Action" : [ "s3:<ActionName>", ... ],
         "Resource" : "arn:minio:s3:::*",
         "Condition" : { ... }
      }
   ]
}
  • For the Statement.Action array, specify one or more supported S3 actions. MinIO deployments supports a subset of AWS S3 actions.

  • For the Statement.Resource key, you can replace the * with the specific bucket to which the policy statement should apply. Using * applies the statement to all resources on the MinIO deployment.

  • For the Statement.Condition key, you can specify one or more supported Conditions. MinIO deployments supports a subset of AWS S3 conditions.

Supported S3 Policy Actions

MinIO policy documents support a subset of IAM S3 Action keys.

The following table lists the MinIO-supported policy action keys.

s3:*

Selector for all supported S3 actions.

s3:AbortMultipartUpload

Corresponds to the s3:AbortMultipartUpload IAM action.

s3:CreateBucket

Corresponds to the s3:CreateBucket IAM action.

s3:DeleteBucket

Corresponds to the s3:DeleteBucket IAM action.

s3:ForceDeleteBucket

Corresponds to the s3:DeleteBucket IAM action for operations with the x-minio-force-delete flag.

s3:DeleteBucketPolicy

Corresponds to the s3:DeleteBucketPolicy IAM action.

s3:DeleteObject

Corresponds to the s3:DeleteObject IAM action.

s3:GetBucketLocation

Corresponds to the s3:GetBucketLocation IAM action.

s3:GetBucketNotification

Corresponds to the s3:GetBucketNotification IAM action.

s3:GetBucketPolicy

Corresponds to the s3:GetBucketPolicy IAM action.

s3:GetObject

Corresponds to the s3:GetObject IAM action.

s3:HeadBucket

Corresponds to the s3:HeadBucket IAM action.

This action is unused in MinIO.

s3:ListAllMyBuckets

Corresponds to the s3:ListAllMyBuckets IAM action.

s3:ListBucket

Corresponds to the s3:ListBucket IAM action.

s3:ListMultipartUploads

Corresponds to the s3:ListMultipartUploads IAM action.

s3:ListenNotification

MinIO Extension for controlling API operations related to MinIO Bucket Notifications.

This action is not intended for use with other S3-compatible services.

s3:ListenBucketNotification

MinIO Extension for controlling API operations related to MinIO Bucket Notifications.

This action is not intended for use with other S3-compatible services.

s3:ListParts

Corresponds to the s3:ListParts IAM action.

s3:PutBucketLifecycle

Corresponds to the s3:PutBucketLifecycle IAM action.

s3:GetBucketLifecycle

Corresponds to the s3:GetBucketLifecycle IAM action.

s3:PutObjectNotification

Corresponds to the s3:PutObjectNotification IAM action.

s3:PutBucketPolicy

Corresponds to the s3:PutBucketPolicy IAM action.

s3:PutObject

Corresponds to the s3:PutObject IAM action.

s3:DeleteObjectVersion

Corresponds to the s3:DeleteObjectVersion IAM action.

s3:DeleteObjectVersionTagging

Corresponds to the s3:DeleteObjectVersionTagging IAM action.

s3:GetObjectVersion

Corresponds to the s3:GetObjectVersion IAM action.

s3:GetObjectVersionTagging

Corresponds to the s3:GetObjectVersionTagging IAM action.

s3:PutObjectVersionTagging

Corresponds to the s3:PutObjectVersionTagging IAM action.

s3:BypassGovernanceRetention

Corresponds to the s3:BypassGovernanceRetention IAM action.

This action applies to the following API operations on objects locked under GOVERNANCE retention mode:

  • PutObjectRetention

  • PutObject

  • DeleteObject

s3:PutObjectRetention

Corresponds to the s3:PutObjectRetention IAM action.

s3:GetObjectRetention

Corresponds to the s3:GetObjectRetention IAM action.

This action applies to the following API operations on objects locked under any retention mode:

  • GetObject

  • HeadObject

s3:GetObjectLegalHold

Corresponds to the s3:GetObjectLegalHold IAM action.

This action applies to the following API operations on objects locked under legal hold:

  • GetObject

s3:PutObjectLegalHold

Corresponds to the s3:PutObjectLegalHold IAM action.

This action applies to the following API operations on objects locked under legal hold:

  • PutObject

s3:GetBucketObjectLockConfiguration

Corresponds to the s3:GetBucketObjectLockConfiguration IAM action.

s3:PutBucketObjectLockConfiguration

Corresponds to the s3:PutBucketObjectLockConfiguration IAM action.

s3:GetBucketTagging

Corresponds to the s3:GetBucketTagging IAM action.

s3:PutBucketTagging

Corresponds to the s3:PutBucketTagging IAM action.

s3:Get

Corresponds to the s3:Get IAM action.

s3:Put

Corresponds to the s3:Put IAM action.

s3:Delete

Corresponds to the s3:Delete IAM action.

s3:PutEncryptionConfiguration

Corresponds to the s3:PutEncryptionConfiguration IAM action.

s3:GetEncryptionConfiguration

Corresponds to the s3:GetEncryptionConfiguration IAM action.

s3:PutBucketVersioning

Corresponds to the s3:PutBucketVersioning IAM action.

s3:GetBucketVersioning

Corresponds to the s3:GetBucketVersioning IAM action.

s3:GetReplicationConfiguration

Corresponds to the s3:GetReplicationConfiguration IAM action.

s3:PutReplicationConfiguration

Corresponds to the s3:PutReplicationConfiguration IAM action.

s3:ReplicateObject

Corresponds to the s3:ReplicateObject IAM action.

s3:ReplicateDelete

Corresponds to the s3:ReplicateDelete IAM action.

s3:ReplicateTags

Corresponds to the s3:ReplicateTags IAM action.

s3:GetObjectVersionForReplication

Corresponds to the s3:GetObjectVersionForReplication IAM action.

mc admin Policy Action Keys

MinIO supports the following actions for use with defining policies for mc admin operations. These actions are only valid for MinIO deployments and are not intended for use with other S3-compatible services:

admin:*

Selector for all admin action keys.

admin:Heal

Allows heal command

admin:StorageInfo

Allows listing server info

admin:DataUsageInfo

Allows listing data usage info

admin:TopLocksInfo

Allows listing top locks

admin:Profiling

Allows profiling

admin:ServerTrace

Allows listing server trace

admin:ConsoleLog

Allows listing console logs on terminal

admin:KMSCreateKey

Allows creating a new KMS master key

admin:KMSKeyStatus

Allows getting KMS key status

admin:ServerInfo

Allows listing server info

admin:OBDInfo

Allows obtaining cluster on-board diagnostics

admin:ServerUpdate

Allows MinIO binary update

admin:ServiceRestart

Allows restart of MinIO service.

admin:ServiceStop

Allows stopping MinIO service.

admin:ConfigUpdate

Allows MinIO config management

admin:CreateUser

Allows creating MinIO user

admin:DeleteUser

Allows deleting MinIO user

admin:ListUsers

Allows list users permission

admin:EnableUser

Allows enable user permission

admin:DisableUser

Allows disable user permission

admin:GetUser

Allows GET permission on user info

admin:AddUserToGroup

Allows adding user to group permission

admin:RemoveUserFromGroup

Allows removing user to group permission

admin:GetGroup

Allows getting group info

admin:ListGroups

Allows list groups permission

admin:EnableGroup

Allows enable group permission

admin:DisableGroup

Allows disable group permission

admin:CreatePolicy

Allows create policy permission

admin:DeletePolicy

Allows delete policy permission

admin:GetPolicy

Allows get policy permission

admin:AttachUserOrGroupPolicy

Allows attaching a policy to a user/group

admin:ListUserPolicies

Allows listing user policies

admin:SetBucketQuota

Allows setting bucket quota

admin:GetBucketQuota

Allows getting bucket quota

admin:SetBucketTarget

Allows setting bucket target

admin:GetBucketTarget

Allows getting bucket targets

admin:SetTier

Allows creating and modifying remote storage tiers using the mc admin tier command.

admin:ListTier

Allows listing configured remote storage tiers using the mc admin tier command.

Supported S3 Policy Condition Keys

MinIO policy documents support IAM conditional statements.

Each condition element consists of operators and condition keys. MinIO supports a subset of IAM condition keys. For complete information on any listed condition key, see the IAM Condition Element Documentation

MinIO supports the following condition keys for all supported actions:

  • aws:Referer

  • aws:SourceIp

  • aws:UserAgent

  • aws:SecureTransport

  • aws:CurrentTime

  • aws:EpochTime

  • aws:PrincipalType

  • aws:userid

  • aws:username

  • s3:x-amz-content-sha256

The following table lists additional supported condition keys for specific actions:

Action Key

Condition Keys

s3:GetObject

s3:x-amz-server-side-encryption
s3:x-amz-server-side-encryption-customer-algorithm

s3:ListBucket

s3:prefix
s3:delimiter
s3:max-keys

s3:PutObject

s3:x-amz-copy-source
s3:x-amz-server-side-encryption
s3:x-amz-server-side-encryption-customer-algorithm
s3:x-amz-metadata-directive
s3:x-amz-storage-class
s3:object-lock-retain-until-date
s3:object-lock-mode
s3:object-lock-legal-hold

s3:PutObjectRetention

s3:x-amz-object-lock-remaining-retention-days
s3:x-amz-object-lock-retain-until-date
s3:x-amz-object-lock-mode

s3:PutObjectLegalHold

s3:object-lock-legal-hold

s3:BypassGovernanceRetention

s3:object-lock-remaining-retention-days
s3:object-lock-retain-until-date
s3:object-lock-mode
s3:object-lock-legal-hold

s3:GetObjectVersion

s3:versionid

s3:GetObjectVersionTagging

s3:versionid

s3:DeleteObjectVersion

s3:versionid

s3:DeleteObjectVersionTagging

s3:versionid

mc admin Policy Condition Keys

MinIO supports the following conditions for use with defining policies for mc admin actions.

  • aws:Referer

  • aws:SourceIp

  • aws:UserAgent

  • aws:SecureTransport

  • aws:CurrentTime

  • aws:EpochTime

For complete information on any listed condition key, see the IAM Condition Element Documentation

Creating Custom Policies

Use the mc admin policy add command to add a policy to the MinIO server. The policy must be a valid JSON document formatted according to IAM policy specifications. For example:

mc admin policy add myminio/ new_policy new_policy.json

Use the mc admin policy set command to associate a policy to a user or group.

mc admin policy set myminio/ new_policy user=user_name

mc admin policy set myminio/ new_policy group=group_name

Note

myminio refers to the alias of an S3-compatible host configured for use with mc. See mc alias for more information on aliases.