Welcome to the upcoming version of the MinIO Documentation! The content on this page is under active development and may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

Identity and Access Management


Authentication is the process of verifying the identity of a connecting client. MinIO authentication requires providing user credentials in the form of an access key (username) and corresponding secret key (password). The MinIO deployment only grants access if:

  • The access key corresponds to a user on the deployment, and

  • The secret key corresponds to the specified access key.

Authorization is the process of restricting the actions and resources the authenticated client can perform on the deployment. MinIO uses Policy-Based Access Control (PBAC), where each policy describes one or more rules that outline the permissions of a user or group of users. MinIO supports a subset of IAM actions and conditions when creating policies. By default, MinIO denies access to actions or resources not explicitly referenced in a user’s assigned or inherited policies.

  • For more information on MinIO user management, see Users.

  • For more information on MinIO group management, see Groups.

  • For more information on MinIO policy creation, see Policies.

Users and Groups

MinIO requires that client’s authenticate using an access key and secret key that correspond to a user. A user can have membership in one or more groups, where the user inherits any privileges associated to each group. MinIO authorizes the client to access only those resources and operations which the user’s assigned or inherited privileges explicitly allow.

MinIO supports creating an arbitrary number of users and groups on the deployment for supporting client authentication.

For complete documentation on creating MinIO users and groups, see Users and Groups.

MinIO also supports federating identity management to supported third-party services through the Secure Token Service. Supported identity providers include Okta, Facebook, Google, and Active Directory/LDAP.


MinIO uses Policy-Based Access Control (PBAC) to specify the authorized resources and operations to which a user or groups has access. MinIO PBAC uses AWS IAM-compatible JSON syntax for defining policies. For example, MinIO can use IAM policies designed for use with AWS S3 or S3-compatible services.

MinIO provides a set of built-in policies that provide a baseline for seperation of least privilege, such that a user has access to the minimum set of privileges required to perform their assigned actions. MinIO also supports customized policies, including those imported from AWS IAM or IAM-compatible policy building tools. For more complete documentation on MinIO policies, see Policies.

To assign policies to users or groups, use the mc admin policy set command from the mc command line tool.

Security Token Service

The MinIO Security Token Service (STS) is an endpoint service that enables clients to request temporary credentials for MinIO resources.

See MinIO STS Quickstart Guide for more information.