The content of these pages are under active development and may change at any time. Thank you for your patience.

User Management

This page documents procedures for managing users on a MinIO Tenant. MinIO enforces authentication and authorization for all incoming requests, where clients must present the credentials for a user on the MinIO Tenant.

Create a New MinIO User

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to create a new user on the MinIO Tenant.

1) Open the User Management Interface

Open the MinIO Console in your browser and log in with your credentials. From the Console, click Users in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Users navigation item.

MinIO Console User Management View

The Users interface shows all existing MinIO users and their access keys. Click the + Create User button to open the Create User modal.

2) Create a New User

The Create User modal displays the following inputs for configuring the new user:

MinIO Console User Creation Modal

Access Key

Required

The Access Key to attach to the user. Clients must present this key when connecting to the MinIO Tenant.

Secret Key

Required

Enter the secret key to attach to the user. Defer to your organizations policies for generating secure passwords. MinIO strongly recommends generating a long, unique, and random string for each secret key.

Assign Groups

Optional

The groups in which the user has membership. The user inherits the IAM policy associated to each group.

You can filter groups using the Filter by Group input.

Click Save to save the new user.

3) Assign a Policy to the User

Optional

This step is not required if the user’s group membership provides the necessary policies for supporting that user’s intended workload.

MinIO uses Policy-Based Access Control (PBAC) to determine which actions and resources to which a MinIO Tenant user has access. A user can have one explicitly attached policy. Each user also inherits the policies attached to each group in which it has membership. The total set of permissions for a given user are both its explicitly attached and inherited policies.

To explicitly attach a policy to a user, open the Users management interface and click the flag icon next to their name to open the Set Policies modal.

MinIO Console User Select

The Set Policies modal displays inputs for selecting a policy to attach to the user.

MinIO Console User Management Set Policies

Under Assign Policies, select the policy to attach to the user. You can filter policies using the Filter by Policy text input. A user can have exactly one attached policy.

Click Save to save the new policy attachment.

For complete documentation on creating a new IAM policy to attach to a MinIO group, see Create New Policy.

4) Next Steps

Client applications can use the Access Key and Secret Key associated to the user for authenticating and performing operations on the MinIO Tenant. See the MinIO client SDKs or any S3-compatible SDK for examples of connecting to an S3-compatible object storage system with user credentials.

Attach a Policy to a MinIO User

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

MinIO uses Policy-Based Access Control (PBAC) to determine which actions and resources to which a MinIO Tenant user has access. A user can have one explicitly attached policy. Each user also inherits the policies attached to each group in which it has membership. The total set of permissions for a given user are both its explicitly attached and inherited policies.

For complete documentation on creating a new IAM policy to attach to a MinIO user, see Create New Policy.

The following procedure uses the MinIO Console to change the IAM policy attached to a MinIO user.

1) Open the User Management Interface

Open the Console in your browser and log in with your credentials. From the Console, click Users in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Users navigation item.

MinIO Console User Management View

2) Set the User’s Attached IAM Policy

To modify the policy attached to a user, click the Flag icon to open the Set Policies modal.

MinIO Console User Select Flag Icon

The Set Policies modal displays inputs for selecting a policy to attach to the user.

MinIO Console User Management Set Policies

Under Assign Policies, select the policy to attach to the user. You can filter policies using the Filter by Policy text input. A user can have exactly one attached policy.

Enable or Disable a MinIO User

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to enable or disable a MinIO user. Applications can only authenticate as enabled MinIO users.

1) Open the User Management Interface

Open the Console in your browser and log in with your credentials. From the Console, click Users in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Users navigation item.

MinIO Console User Management View

2) Select the User to Enable or Disable

Click the row for the User to open the Edit User modal:

MinIO Console User Management View

3) Enable or Disable the User

The toggle in the top-right hand corner of the Edit User modal displays the current state of the MinIO user.

MinIO Console User Management View

If the toggle displays Enabled, the user is currently enabled. If the toggle displays Disabled, the user is currently disabled. Click the toggle to change the state of the user.

Click Save to save the changes. Applications cannot use Disabled users to authenticate to the MinIO Tenant until they are re-enabled.

Change Group Membership for MinIO User

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

MinIO uses Policy-Based Access Control (PBAC) to determine which actions and resources to which a MinIO Tenant user has access. MinIO also supports groups of users, where the users inherit the policy attached to the group. A given user’s access therefore consists of the set of both its explicitly attached policy and all inherited policies from its group membership.

The following procedure uses the MinIO Console to change the group memberships for a MinIO user.

1) Open the User Management Interface

Open the Console in your browser and log in with your credentials. From the Console, click Users in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Users navigation item.

MinIO Console User Management View

2) Select the User to Edit

Click the row for the User to open the Edit User modal:

MinIO Console User Management View

3) Change Group Membership

The Edit User modal displays information on the selected MinIO Tenant User:

MinIO Console User Management View

The Assign Groups section displays the available groups on the MinIO Tenant. Toggle the Select checkbox next to each group such that only those groups in which the user must have membership are selected.

You can filter groups using the Filter by Group input.

Click Save to save the new group membership.

Delete a MinIO User

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to delete a MinIO user.

1) Open the User Management Interface

Open the Console in your browser and log in with your credentials. From the Console, click Users in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the Users navigation item.

MinIO Console User Management View

2) Delete the User

To delete a user, click the Trash icon to open the Delete User modal:

MinIO Console User Select Trash Icon

You must confirm user deletion by clicking Delete from the modal.

MinIO Console User Management Delete User

Change MinIO User Password

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

The following procedure uses the MinIO Console to change the password for the authenticated MinIO user.

1) Open the Account Interface

To change your MinIO User password, open the MinIO Console in your browser and log in with your credentials. From the Console, click Account in the left hand navigation. If the User navigation group is collapsed, click on it to expand the section and view the Account navigation item.

MinIO Console Account Management View

Click the Change Password to open the Change Password modal.

MinIO Console Account Management Change Password

2) Change the User Password

The Change Password modal displays the following inputs for changing the MinIO User password:

MinIO Console User Management View

Current Password

Specify the existing password for the MinIO Tenant user.

New Password

Specify the new password for the MinIO Tenant user.

Type New Password Again

Specify the new password again for verification.

Click Save to save the new password. Future login attempts with the MinIO Tenant user must specify the new password.

Create Service Accounts

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

MinIO Service Accounts are child identities of a single parent MinIO User. Each Service Account inherits its privileges based on the policies attached to it’s parent user and the policy attached to each group in which the parent user has membership. Service Accounts also support an optional attached policy which restricts its access to a subset of the actions and resources available to the parent user.

Service Accounts allow MinIO Tenant users to manage access to the Tenant without relying on administrative action. Disabling or deleting the parent user also disables/deletes all of that user’s Service Accounts.

MinIO Service Accounts are only available through the MinIO Console. The following procedure uses the MinIO Console to create a new Service Account associated to a MinIO Tenant user.

1) Open the Account Interface

To create a new Service Account, open the MinIO Console in your browser and log in with your credentials. From the Console, click Account in the left hand navigation. If the User navigation group is collapsed, click on it to expand the section and view the Account navigation item.

MinIO Console Service Account Management View

The Account interface shows all existing Service Accounts created by the current user. Click the + Create Service Account button to open the Create Service Account modal.

2) Create a New Service Account

The Create Service Account modal displays an input for configuring an optional IAM policy for the new Service Account:

MinIO Console Service Account Management Create New Service Account

MinIO Service Accounts inherit its privileges from the policies attached to and inherited by the Tenant user. The optional policy can specify a subset of the actions and resources explicitly allowed as part of the Tenant user’s privileges. You cannot apply a custom policy after creating the Service Account.

Click Create to create the Service Account with the optional IAM policy if one is specified.

3) Copy the Service Account Credentials

The New Service Account Created dialog presents the randomly generated Access Key and Secret key for the new Service Account.

MinIO Console Service Account Management View Download Credentials

Copy the credentials to a secure location, such as a password manager or similar password protected system. You can also click Download to download the credentials as a JSON file.

Important

The MinIO Console only displays the Secret Key in this dialog and never displays it again after closing the dialog. MinIO does not support changing the credentials for Service Accounts. If the credentials for a Service Account are lost, you must create a new Service Account.

Delete Service Users

MinIO Console Connectivity

The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:

  • The user is accessing the Console from a host inside the Kubernetes cluster,

    -or-

  • The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.

MinIO Service Accounts are special credentials associated to a single MinIO Tenant user. Each Service Account consists of an automatically generated random Access Key and a shared Secret Key.

The following procedure deletes a Service Account associated to a MinIO Tenant user. Applications using that Service Account cannot access the MinIO Tenant using the Service Account credentials after deletion. Service User management is available only through the MinIO Console.

1) Open the Account Interface

To create a new Service Account, open the MinIO Console in your browser and log in with your credentials. From the Console, click Account in the left hand navigation. If the User navigation group is collapsed, click on it to expand the section and view the Account navigation item.

MinIO Console User Management View

The Account interface shows all existing Service Accounts created by the current user.

2) Delete the Service Account

Click the Trash icon to open the Delete Service Account modal.

MinIO Console User Management View

You must confirm user deletion by clicking Delete from the modal.

MinIO Console User Management Delete User