Policy Management

Table of Contents

Overview
Built-In Policies
Policy Document Structure
Supported S3 Policy Actions
- mc admin Policy Action Keys
Supported S3 Policy Condition Keys
- mc admin Policy Condition Keys

Overview

MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions and conditions that outline the permissions of a user or group of users.

MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the IAM documentation for more complete documentation on AWS IAM-specific topics.

The mc admin policy command supports creation and management of policies on the MinIO deployment. See the command reference for examples of usage.

Built-In Policies

MinIO provides the following built-in policies for assigning to users or groups:

readonly: Grants read-only permissions for all buckets and objects on the MinIO server.

readwrite: Grants read and write permissions for all buckets and objects on the MinnIO server.

diagnostics: Grants permission to perform diagnostic actions on the MinIO server.

writeonly: Grants write-only permissions for all buckets and objects on the MinIO server.

Use mc admin policy set to associate a policy to a user or group on a MinIO deployment.

For example, consider the following table of users. Each user is assigned a built-in policy or a supported action. The table describes a subset of operations a client could perform if authenticated as that user:

User	Policy	Operations
`Operations`	`readwrite` on `finance` bucket `readonly` on `audit` bucket	`PUT` and `GET` on `finance` bucket. `PUT` on `audit` bucket
`Auditing`	`readonly` on `audit` bucket	`GET` on `audit` bucket
`Admin`	`admin:*`	All `mc admin` commands.

Each user can access only those resources and operations which are explicitly granted by the built-in role. MinIO denies access to any other resource or action by default.

Deny overrides Allow

MinIO follows the IAM policy evaluation rules where a Deny rule overrides Allow rule on the same action/resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.

Policy Document Structure

MinIO policy documents use the same schema as AWS IAM Policy documents.

The following sample document provides a template for creating custom policies for use with a MinIO deployment. For more complete documentation on IAM policy elements, see the IAM JSON Policy Elements Reference.

{
   "Version" : "2012-10-17",
   "Statement" : [
      {
         "Effect" : "Allow",
         "Action" : [ "s3:<ActionName>", ... ],
         "Resource" : "arn:aws:s3:::*",
         "Condition" : { ... }
      },
      {
         "Effect" : "Deny",
         "Action" : [ "s3:<ActionName>", ... ],
         "Resource" : "arn:aws:s3:::*",
         "Condition" : { ... }
      }
   ]
}

For the Statement.Action array, specify one or more supported S3 actions. MinIO deployments supports a subset of AWS S3 actions.
For the Statement.Resource key, you can replace the * with the specific bucket to which the policy statement should apply. Using * applies the statement to all resources on the MinIO deployment.
For the Statement.Condition key, you can specify one or more supported Conditions. MinIO deployments supports a subset of AWS S3 conditions.

Supported S3 Policy Actions

MinIO policy documents support a subset of IAM S3 Action keys.

The following table lists the MinIO-supported policy action keys.

s3:*: Selector for all supported S3 actions.

s3:AbortMultipartUpload: Corresponds to the s3:AbortMultipartUpload IAM action.

s3:CreateBucket: Corresponds to the s3:CreateBucket IAM action.

s3:DeleteBucket: Corresponds to the s3:DeleteBucket IAM action.

s3:ForceDeleteBucket: Corresponds to the s3:DeleteBucket IAM action for operations with the x-minio-force-delete flag.

s3:DeleteBucketPolicy: Corresponds to the s3:DeleteBucketPolicy IAM action.

s3:DeleteObject: Corresponds to the s3:DeleteObject IAM action.

s3:GetBucketLocation: Corresponds to the s3:GetBucketLocation IAM action.

s3:GetBucketNotification: Corresponds to the s3:GetBucketNotification IAM action.

s3:GetBucketPolicy: Corresponds to the s3:GetBucketPolicy IAM action.

s3:GetObject: Corresponds to the s3:GetObject IAM action.

s3:HeadBucket: Corresponds to the s3:HeadBucket IAM action.

This action is unused in MinIO.

s3:ListAllMyBuckets: Corresponds to the s3:ListAllMyBuckets IAM action.

s3:ListBucket: Corresponds to the s3:ListBucket IAM action.

s3:ListMultipartUploads: Corresponds to the s3:ListMultipartUploads IAM action.

s3:ListenNotification

MinIO Extension for controlling API operations related to MinIO Bucket Notifications.

This action is not intended for use with other S3-compatible services.

s3:ListenBucketNotification

MinIO Extension for controlling API operations related to MinIO Bucket Notifications.

This action is not intended for use with other S3-compatible services.

s3:ListParts: Corresponds to the s3:ListParts IAM action.

s3:PutBucketLifecycle: Corresponds to the s3:PutBucketLifecycle IAM action.

s3:GetBucketLifecycle: Corresponds to the s3:GetBucketLifecycle IAM action.

s3:PutObjectNotification: Corresponds to the s3:PutObjectNotification IAM action.

s3:PutBucketPolicy: Corresponds to the s3:PutBucketPolicy IAM action.

s3:PutObject: Corresponds to the s3:PutObject IAM action.

s3:DeleteObjectVersion: Corresponds to the s3:DeleteObjectVersion IAM action.

s3:DeleteObjectVersionTagging: Corresponds to the s3:DeleteObjectVersionTagging IAM action.

s3:GetObjectVersion: Corresponds to the s3:GetObjectVersion IAM action.

s3:GetObjectVersionTagging: Corresponds to the s3:GetObjectVersionTagging IAM action.

s3:PutObjectVersionTagging: Corresponds to the s3:PutObjectVersionTagging IAM action.

s3:BypassGovernanceRetention

Corresponds to the s3:BypassGovernanceRetention IAM action.

This action applies to the following API operations on objects locked under GOVERNANCE retention mode:

PutObjectRetention
PutObject
DeleteObject

s3:PutObjectRetention: Corresponds to the s3:PutObjectRetention IAM action.

s3:GetObjectRetention

Corresponds to the s3:GetObjectRetention IAM action.

This action applies to the following API operations on objects locked under any retention mode:

GetObject
HeadObject

s3:GetObjectLegalHold

Corresponds to the s3:GetObjectLegalHold IAM action.

This action applies to the following API operations on objects locked under legal hold:

GetObject

s3:PutObjectLegalHold

Corresponds to the s3:PutObjectLegalHold IAM action.

This action applies to the following API operations on objects locked under legal hold:

PutObject

s3:GetBucketObjectLockConfiguration: Corresponds to the s3:GetBucketObjectLockConfiguration IAM action.

s3:PutBucketObjectLockConfiguration: Corresponds to the s3:PutBucketObjectLockConfiguration IAM action.

s3:GetBucketTagging: Corresponds to the s3:GetBucketTagging IAM action.

s3:PutBucketTagging: Corresponds to the s3:PutBucketTagging IAM action.

s3:Get: Corresponds to the s3:Get IAM action.

s3:Put: Corresponds to the s3:Put IAM action.

s3:Delete: Corresponds to the s3:Delete IAM action.

s3:PutEncryptionConfiguration: Corresponds to the s3:PutEncryptionConfiguration IAM action.

s3:GetEncryptionConfiguration: Corresponds to the s3:GetEncryptionConfiguration IAM action.

s3:PutBucketVersioning: Corresponds to the s3:PutBucketVersioning IAM action.

s3:GetBucketVersioning: Corresponds to the s3:GetBucketVersioning IAM action.

s3:GetReplicationConfiguration: Corresponds to the s3:GetReplicationConfiguration IAM action.

s3:PutReplicationConfiguration: Corresponds to the s3:PutReplicationConfiguration IAM action.

s3:ReplicateObject: Corresponds to the s3:ReplicateObject IAM action.

s3:ReplicateDelete: Corresponds to the s3:ReplicateDelete IAM action.

s3:ReplicateTags: Corresponds to the s3:ReplicateTags IAM action.

s3:GetObjectVersionForReplication: Corresponds to the s3:GetObjectVersionForReplication IAM action.

`mc admin` Policy Action Keys

MinIO supports the following actions for use with defining policies for mc admin operations. These actions are only valid for MinIO deployments and are not intended for use with other S3-compatible services:

admin:*: Selector for all admin action keys.

admin:Heal: Allows heal command

admin:StorageInfo: Allows listing server info

admin:DataUsageInfo: Allows listing data usage info

admin:TopLocksInfo: Allows listing top locks

admin:Profiling: Allows profiling

admin:ServerTrace: Allows listing server trace

admin:ConsoleLog: Allows listing console logs on terminal

admin:KMSCreateKey: Allows creating a new KMS master key

admin:KMSKeyStatus: Allows getting KMS key status

admin:ServerInfo: Allows listing server info

admin:OBDInfo: Allows obtaining cluster on-board diagnostics

admin:ServerUpdate: Allows MinIO binary update

admin:ServiceRestart: Allows restart of MinIO service.

admin:ServiceStop: Allows stopping MinIO service.

admin:ConfigUpdate: Allows MinIO config management

admin:CreateUser: Allows creating MinIO user

admin:DeleteUser: Allows deleting MinIO user

admin:ListUsers: Allows list users permission

admin:EnableUser: Allows enable user permission

admin:DisableUser: Allows disable user permission

admin:GetUser: Allows GET permission on user info

admin:AddUserToGroup: Allows adding user to group permission

admin:RemoveUserFromGroup: Allows removing user to group permission

admin:GetGroup: Allows getting group info

admin:ListGroups: Allows list groups permission

admin:EnableGroup: Allows enable group permission

admin:DisableGroup: Allows disable group permission

admin:CreatePolicy: Allows create policy permission

admin:DeletePolicy: Allows delete policy permission

admin:GetPolicy: Allows get policy permission

admin:AttachUserOrGroupPolicy: Allows attaching a policy to a user/group

admin:ListUserPolicies: Allows listing user policies

admin:SetBucketQuota: Allows setting bucket quota

admin:GetBucketQuota: Allows getting bucket quota

admin:SetBucketTarget: Allows setting bucket target

admin:GetBucketTarget: Allows getting bucket targets

admin:SetTier: Allows creating and modifying remote storage tiers using the mc admin tier command.

admin:ListTier: Allows listing configured remote storage tiers using the mc admin tier command.

Supported S3 Policy Condition Keys

MinIO policy documents support IAM conditional statements.

Each condition element consists of operators and condition keys. MinIO supports a subset of IAM condition keys. For complete information on any listed condition key, see the IAM Condition Element Documentation

MinIO supports the following condition keys for all supported actions:

aws:Referer
aws:SourceIp
aws:UserAgent
aws:SecureTransport
aws:CurrentTime
aws:EpochTime
aws:PrincipalType
aws:userid
aws:username
s3:x-amz-content-sha256

The following table lists additional supported condition keys for specific actions:

Action Key	Condition Keys
`s3:GetObject`	`s3:x-amz-server-side-encryption` `s3:x-amz-server-side-encryption-customer-algorithm`
`s3:ListBucket`	`s3:prefix` `s3:delimiter` `s3:max-keys`
`s3:PutObject`	`s3:x-amz-copy-source` `s3:x-amz-server-side-encryption` `s3:x-amz-server-side-encryption-customer-algorithm` `s3:x-amz-metadata-directive` `s3:x-amz-storage-class` `s3:object-lock-retain-until-date` `s3:object-lock-mode` `s3:object-lock-legal-hold`
`s3:PutObjectRetention`	`s3:x-amz-object-lock-remaining-retention-days` `s3:x-amz-object-lock-retain-until-date` `s3:x-amz-object-lock-mode`
`s3:PutObjectLegalHold`	`s3:object-lock-legal-hold`
`s3:BypassGovernanceRetention`	`s3:object-lock-remaining-retention-days` `s3:object-lock-retain-until-date` `s3:object-lock-mode` `s3:object-lock-legal-hold`
`s3:GetObjectVersion`	`s3:versionid`
`s3:GetObjectVersionTagging`	`s3:versionid`
`s3:DeleteObjectVersion`	`s3:versionid`
`s3:DeleteObjectVersionTagging`	`s3:versionid`

`mc admin` Policy Condition Keys

MinIO supports the following conditions for use with defining policies for mc admin actions.

aws:Referer
aws:SourceIp
aws:UserAgent
aws:SecureTransport
aws:CurrentTime
aws:EpochTime

For complete information on any listed condition key, see the IAM Condition Element Documentation