Table of Contents
MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions and conditions that outline the permissions of a user or group of users.
MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the IAM documentation for more complete documentation on AWS IAM-specific topics.
The mc admin policy command supports creation and management of
policies on the MinIO deployment. See the command reference for examples of
usage.
MinIO provides the following built-in policies for assigning to users or groups:
Grants complete access to all S3 and administrative API operations against all resources on the MinIO deployment. Equivalent to the following set of actions:
Grants read-only permissions on any object on the MinIO deployment. The GET action must apply to a specific object without requiring any listing. Equivalent to the following set of actions:
For example, this policy specifically supports GET operations on objects at a
specific path (e.g. GET play/mybucket/object.file), such as:
The exclusion of listing permissions is intentional, as typical use cases do not intend for a “read-only” role to have complete discoverability (listing all buckets and objects) on the object storage resource.
Grants read and write permissions for all buckets and objects on the
MinIO server. Equivalent to s3:*.
Grants permission to perform diagnostic actions on the MinIO deployment. Specifically includes the following actions:
Grants write-only permissions to any namespace (bucket and path to object)
the MinIO deployment. The PUT action must apply to a specific object
location without requiring any listing.
Equivalent to the s3:PutObject action.
Use mc admin policy set to associate a policy to a
user or group on a MinIO deployment.
For example, consider the following table of users. Each user is assigned a built-in policy or a supported action. The table describes a subset of operations a client could perform if authenticated as that user:
User |
Policy |
Operations |
|---|---|---|
|
PUT and GET on finance bucket.PUT on audit bucket |
|
|
readonly on audit bucket |
|
|
All |
Each user can access only those resources and operations which are explicitly granted by the built-in role. MinIO denies access to any other resource or action by default.
Deny overrides Allow
MinIO follows the IAM policy evaluation rules where a Deny rule overrides
Allow rule on the same action/resource. For example, if a user has an
explicitly assigned policy with an Allow rule for an action/resource
while one of its groups has an assigned policy with a Deny rule for that
action/resource, MinIO would apply only the Deny rule.
For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.
MinIO policy documents use the same schema as AWS IAM Policy documents.
The following sample document provides a template for creating custom policies for use with a MinIO deployment. For more complete documentation on IAM policy elements, see the IAM JSON Policy Elements Reference.
Hybrid Cloud Object Storage
Baremetal
Erasure Code Calculator
Reference Hardware
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [ "s3:<ActionName>", ... ],
"Resource" : "arn:aws:s3:::*",
"Condition" : { ... }
},
{
"Effect" : "Deny",
"Action" : [ "s3:<ActionName>", ... ],
"Resource" : "arn:aws:s3:::*",
"Condition" : { ... }
}
]
}
For the Statement.Action array, specify one or more
supported S3 API operations. MinIO deployments
supports a subset of AWS S3 API operations.
For the Statement.Resource key, you can replace the * with
the specific bucket to which the policy statement should apply.
Using * applies the statement to all resources on the MinIO deployment.
For the Statement.Condition key, you can specify one or more
supported Conditions. MinIO
deployments supports a subset of AWS S3 conditions.
MinIO policy documents support a subset of IAM S3 Action keys.
The following actions control access to common S3 operations. The remaining subsections document actions for more advanced S3 operations:
Selector for all MinIO S3 operations. Applying this action to a given resource allows the user to perform any S3 operation against that resource.
Controls access to the CreateBucket S3 API operation.
Controls access to the DeleteBucket S3 API operation.
Controls access to the DeleteBucket
S3 API operation for operations with the x-minio-force-delete flag.
Required for removing non-empty buckets.
Controls access to the GetBucketLocation S3 API operation.
Controls access to the ListBuckets S3 API operation.
Controls access to the DeleteObject S3 API operation.
Controls access to the GetObject S3 API operation.
Controls access to the ListObjectsV2 S3 API operation.
Controls access to the PutObject S3 API operation.
Controls access to the PutObjectTagging S3 API operation.
Controls access to the GetObjectTagging S3 API operation.
Controls access to the GetBucketPolicy S3 API operation.
Controls access to the PutBucketPolicy S3 API operation.
Controls access to the DeleteBucketPolicy S3 API operation.
Controls access to the GetBucketTagging S3 API operation.
Controls access to the PutBucketTagging S3 API operation.
Controls access to the AbortMultipartUpload S3 API operation.
Controls access to the ListParts S3 API operation.
Controls access to the ListMultipartUploads S3 API operation.
Controls access to the PutBucketVersioning S3 API operation.
Controls access to the GetBucketVersioning S3 API operation.
Controls access to the DeleteObjectVersion S3 API operation.
Controls access to the DeleteObjectVersionTagging S3 API operation.
Controls access to the GetObjectVersion S3 API operation.
Controls access to the following S3 API operations on objects
locked under GOVERNANCE
retention mode:
PutObjectRetention
PutObject
DeleteObject
See the S3 documentation on s3:BypassGovernanceRetention for more information.
Controls access to the PutObjectRetention S3 API operation.
Required for any PutObject operation that specifies
retention metadata.
Controls access to the GetObjectRetention S3 API operation.
Required for including object locking metadata
as part of the response to a GetObject or HeadObject operation.
Controls access to the GetObjectLegalHold S3 API operation.
Required for including object locking metadata
as part of the response to a GetObject or HeadObject operation.
Controls access to the PutObjectLegalHold S3 API operation.
Required for any PutObject operation that specifies
legal hold metadata.
Controls access to the GetObjectLockConfiguration S3 API operation.
Controls access to the PutObjectLockConfiguration S3 API operation.
Controls access to the GetBucketNotification S3 API operation.
Controls access to the PutBucketNotification S3 API operation.
MinIO Extension for controlling API operations related to MinIO Bucket Notifications.
This action is not intended for use with other S3-compatible services.
MinIO Extension for controlling API operations related to MinIO Bucket Notifications.
This action is not intended for use with other S3-compatible services.
Controls access to the PutLifecycleConfiguration S3 API operation.
Controls access to the GetLifecycleConfiguration S3 API operation.
Controls access to the PutEncryptionConfiguration S3 API operation.
Controls access to the GetEncryptionConfiguration S3 API operation.
Controls access to the GetBucketReplication S3 API operation.
Controls access to the PutBucketReplication S3 API operation.
MinIO Extension for controlling API operations related to Server-Side Bucket Replication.
Required for server-side replication.
MinIO Extension for controlling API operations related to Server-Side Bucket Replication.
Required for synchronizing delete operations as part of server-side replication.
MinIO Extension for controlling API operations related to Server-Side Bucket Replication.
Required for server-side replication.
MinIO Extension for controlling API operations related to Server-Side Bucket Replication.
Required for server-side replication.
MinIO policy documents support IAM conditional statements.
Each condition element consists of operators and condition keys. MinIO supports a subset of IAM condition keys. For complete information on any listed condition key, see the IAM Condition Element Documentation
MinIO supports the following condition keys for all supported actions:
aws:Referer
aws:SourceIp
aws:UserAgent
aws:SecureTransport
aws:CurrentTime
aws:EpochTime
aws:PrincipalType
aws:userid
aws:username
x-amz-content-sha256
The following table lists additional supported condition keys for specific actions:
Action Key |
Condition Keys |
|---|---|
x-amz-server-side-encryptionx-amz-server-side-encryption-customer-algorithm |
|
prefixdelimitermax-keys |
|
x-amz-copy-sourcex-amz-server-side-encryptionx-amz-server-side-encryption-customer-algorithmx-amz-metadata-directivex-amz-storage-classobject-lock-retain-until-dateobject-lock-modeobject-lock-legal-hold |
|
x-amz-object-lock-remaining-retention-daysx-amz-object-lock-retain-until-datex-amz-object-lock-mode |
|
|
|
object-lock-remaining-retention-daysobject-lock-retain-until-dateobject-lock-modeobject-lock-legal-hold |
|
|
|
|
mc admin Policy Action KeysMinIO supports the following actions for use with defining policies
for mc admin operations. These actions are only valid for
MinIO deployments and are not intended for use with other S3-compatible
services:
Selector for all admin action keys.
Allows heal command
Allows listing server info
Allows listing data usage info
Allows listing top locks
Allows profiling
Allows listing server trace
Allows listing console logs on terminal
Allows creating a new KMS master key
Allows getting KMS key status
Allows listing server info
Allows obtaining cluster on-board diagnostics
Allows MinIO binary update
Allows restart of MinIO service.
Allows stopping MinIO service.
Allows MinIO config management
Allows creating MinIO user
Allows deleting MinIO user
Allows list users permission
Allows enable user permission
Allows disable user permission
Allows GET permission on user info
Allows adding user to group permission
Allows removing user to group permission
Allows getting group info
Allows list groups permission
Allows enable group permission
Allows disable group permission
Allows create policy permission
Allows delete policy permission
Allows get policy permission
Allows attaching a policy to a user/group
Allows listing user policies
Allows creating MinIO Service Account
Allows updating MinIO Service Account
Allows deleting MinIO Service Account
Allows listing MinIO Service Account
Allows setting bucket quota
Allows getting bucket quota
Allows setting bucket target
Allows getting bucket targets
Allows creating and modifying remote storage tiers using the
mc admin tier command.
Allows listing configured remote storage tiers using the
mc admin tier command.
Allows retrieving metrics related to current bandwidth consumption.
Allows access to MinIO metrics. Only required if MinIO requires authentication for scraping metrics.
mc admin Policy Condition KeysMinIO supports the following conditions for use with defining policies for
mc admin actions.
aws:Referer
aws:SourceIp
aws:UserAgent
aws:SecureTransport
aws:CurrentTime
aws:EpochTime
For complete information on any listed condition key, see the IAM Condition Element Documentation
This work is licensed under a Creative Commons Attribution 4.0 International License.
©2020-Present, MinIO, Inc.
