The content of these pages are under active development and may change at any time. Thank you for your patience.

Policy Management

Table of Contents

This page documents procedures for managing policies on a MinIO Tenant. MinIO uses Policy-Based Access Control (PBAC) for defining the actions and resources to which a client has access. MinIO policies are JSON documents with IAM-compatible syntax.

Each MinIO user can have one attached policy for defining its scope of access. MinIO also supports creating groups of users, where the users inherit the policy attached to the group. A group can have one attached policy for defining the scope of access of its membership.

A given user’s access therefore consists of the set of both its explicitly attached policy and all inherited policies from its group membership. MinIO only processes the requested operation if the user’s complete set of policies explicitly allow access to both the required actions and resources for that operation.

Create New Policy

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to create a new policy on the MinIO Tenant. You can then attach the new policy to a user or group on the MinIO Tenant.

1) Open the Policy Management Interface

Open the Console in your browser and log in with your credentials. From the Console, click IAM Policies in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the IAM Policies navigation item.

MinIO Console IAM Policies Management View

Click the + Create Policy button to open the Create Policy modal.

2) Configure the New Policy

The Create Policy modal displays inputs for configuring a new IAM policy:

MinIO Console IAM Policy Creation Modal

Policy Name

The name of the policy. The name must be unique among all other policies on the MinIO Tenant.

Write Policy

The JSON document describing the IAM policy. See IAM JSON policy reference for more complete documentation of supported syntax.

Click Save to save the new policy. You cannot update the policy JSON after saving.

Important

The MinIO Console only validates that the JSON document has valid structure and syntax. The Console does not perform any simulations on the created policy to validate it’s functionality in practice. Consider performing end-to-end testing of the new policy to validate that it supports the access required for the intended workload prior to using the policy in production environments.

3) Attach Policy to User or Group

Optional You can skip this step if you do not intend to attach the policy to a user or group immediately.

To attach a policy to a MinIO user, click Users in the left-hand navigation. Click the Flag icon to open the Set Policies modal. Under the Assign Policies section, select the newly created policy. For more complete documentation, see Attach a Policy to a MinIO User.

Users can have at most one attached policy. If the user has an existing attached policy, specifying the newly created policy replaces the previous policy.

Delete Policy

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to delete an existing policy on the MinIO Tenant.

1) Open the Policy Management Interface

Open the Console in your browser and log in with your credentials. From the Console, click IAM Policies in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the IAM Policies navigation item.

MinIO Console IAM Policies Management View

2) Back Up the Policy

Optional You can skip this step if you do not need to keep a backup copy of the policy to delete.

From the IAM Policies section, click the row for the policy you intend to delete to open the Info modal:

MinIO Console IAM Policies Info

Copy the JSON document to a secure location to back up the policy. You can recreate the policy using the JSON at a later time.

3) Delete the Policy

To delete the policy, click the Trash icon to open the Delete Policy modal:

MinIO Console IAM Policy Select Trash Icon

You must confirm policy deletion by clicking Delete from the modal.

MinIO Console IAM Policy Select Trash Icon