A user is an identity with associated privileges on a MinIO deployment. Each user consists of a unique access key (username) and corresponding secret key (password). The access key and secret key support authentication on the MinIO deployment, similar to a username and password. Clients must specify both a valid access key (username) and the corresponding secret key (password) to access the MinIO deployment.
Each user can have one or more assigned policies that explicitly list the actions and resources to which the user is allowed or denied access. A user can also have membership in a group, where the user inherits any policies assigned to the group. Policies support authorization on the MinIO deployment, such that clients can only access a resource or operation if the user’s assigned and inherited policies explicitly grant. MinIO by default denies access to any resource or operation not explicitly allowed by a user’s assigned or inherited policies.
For example, consider the following table of users. Each user is assigned a built-in policy or a supported action. The table describes a subset of operations a client could perform if authenticated as that user:
Each user can access only those resources and operations which are explicitly granted by the built-in role. MinIO denies access to any other resource or action by default.
MinIO follows the IAM policy evaluation rules where a
Deny rule overrides
Allow rule on the same action/resource. For example, if a user has an
explicitly assigned policy with an
Allow rule for an action/resource
while one of its groups has an assigned policy with a
Deny rule for that
action/resource, MinIO would apply only the
For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.
MinIO deployments have a
root user with access to all actions and resources
on the deployment. When a
minio server first starts, it sets the
user credentials by checking the value of the following environment variables:
Rotating the root user credentials requires updating either or both variables for all MinIO servers in the deployment.
When specifying the
root access key and secret key, consider using long,
unique, and random strings. Exercise all possible precautions in storing the
access key and secret key, such that only known and trusted individuals who
require superuser access to the deployment can retrieve the
MinIO strongly discourages using the
rootuser for regular client access regardless of the environment (development, staging, or production).
MinIO strongly recommends creating users such that each client has access to the minimal set of actions and resources required to perform their assigned workloads.
If these variables are unset,
minio defaults to
minioadmin as the access key and secret key respectively. MinIO strongly
discourages use of the default credentials regardless of deployment
MinIO RELEASE.2021-04-22T15-44-28Z and later deprecates the following variables used for setting or updating root user credentials:
mc admin user add command to create a new user on the
mc admin user add ALIAS ACCESSKEY SECRETKEY
SECRETKEYwith the secret key for the user. MinIO does not provide any method for retrieving the secret key once set.
Specify a unique, random, and long string for both the
SECRETKEY. Your organization may have specific internal or regulatory
requirements around generating values for use with access or secret keys.