Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for Elastic Kubernetes Service

Configure MinIO for Authentication using OpenID

Overview

MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities. The procedure on this page provides instructions for:

  • Configuring a MinIO Tenant to use an external OIDC provider.

  • Accessing the Tenant Console using OIDC Credentials.

  • Using the MinIO AssumeRoleWithWebIdentity Security Token Service (STS) API to generate temporary credentials for use by applications.

This procedure is generic for OIDC compatible providers. Defer to the documentation for the OIDC provider of your choice for specific instructions or procedures on authentication and JWT retrieval.

Prerequisites

MinIO Kubernetes Operator

Ensure your target Kubernetes cluster has a valid and working installation of the MinIO Kubernetes Operator. This documentation assumes the latest stable Operator, version 6.0.4.

OpenID-Connect (OIDC) Compatible IDentity Provider

This procedure assumes an existing OIDC provider such as Okta, KeyCloak, Dex, Google, or Facebook. Instructions on configuring these services are out of scope for this procedure.

  • For OIDC services within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the OIDC service.

  • For OIDC services external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.

Ensure each user identity intended for use with MinIO has the appropriate claim configured such that MinIO can associate a policy to the authenticated user. An OpenID user with no assigned policy has no permission to access any action or resource on the MinIO cluster.

MinIO Tenant

This procedure assumes your Kubernetes cluster has sufficient resources to deploy a new MinIO Tenant.

You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable OIDC Identity Management.

Deploy MinIO Tenant with OpenID Connect Identity Management

1) Access the Operator Console

Temporarily forward traffic between the local host machine and the MinIO Operator Console and retrieve the JWT token for your Operator deployment. For instructions, see Configure access to the Operator Console service.

Open your browser to the temporary URL and enter the JWT Token into the login page. You should see the Tenants page:

MinIO Operator Console

Click the + Create Tenant to start creating a MinIO Tenant.

If you are modifying an existing Tenant, select that Tenant from the list. The following steps reference the necessary sections and configuration settings for existing Tenants.

2) Complete the Identity Provider Section

To enable external identity management with an OIDC select the Identity Provider section. You can then change the radio button to OIDC to display the configuration settings.

MinIO Operator Console - Create a Tenant - External Identity Provider Section - OpenID

An asterisk * marks required fields. The following table provides general guidance for those fields:

Field

Description

Configuration URL

The hostname of the OpenID .well-known/openid-configuration file.
Client ID
Secret ID

The Client and Secret ID MinIO uses when authenticating OIDC user credentials against OIDC service.

Claim Name

The OIDC Claim MinIO uses for identifying the policies to attach to the authenticated user.

Once you complete the section, you can finish any other required sections of Tenant Deployment.

3) Assign Policies to OIDC Users

MinIO by default assigns no policies to OIDC users. MinIO uses the specified user Claim to identify one or more policies to attach to the authenticated user. If the Claim is empty or specifies policies which do not exist on the deployment, the authenticated user has no permissions on the Tenant.

The following example assumes an existing alias configured for the MinIO Tenant.

Consider the following example policy that grants general S3 API access on only the data bucket:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:*"
         ],
         "Resource": [
            "arn:aws:s3:::data",
            "arn:aws:s3:::data/*"
         ]
      }
   ]
}

Use the mc admin policy create command to create a policy for use by an OIDC user:

mc admin policy create minio-tenant datareadonly /path/to/datareadonly.json

MinIO attaches the datareadonly policy to any authenticated OIDC user with datareadonly included in the configured claim.

See OpenID Connect Access Management for more information on access control with OIDC users and groups.

4) Use the MinIO Tenant Console to Log In with OIDC Credentials

The MinIO Console supports the full workflow of authenticating to the OIDC provider, generating temporary credentials using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.

See Deploy MinIO Tenant: Connect to the Tenant for additonal information about accessing the Tenant Console.

If the OIDC configuration succeeded, the Console displays a button to login with OIDC credentials.

Enter the user’s OIDC credentials and log in to access the Console.

Once logged in, you can perform any action for which the authenticated user is authorized.

You can also create access keys for supporting applications which must perform operations on MinIO. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the access keys.

5) Generate S3-Compatible Temporary Credentials using OIDC Credentials

Applications can generate temporary access credentials as-needed using the AssumeRoleWithWebIdentity Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the OIDC provider.

The application must provide a workflow for logging into the OIDC provider and retrieving the JSON Web Token (JWT) associated to the authentication session. Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication. MinIO provides an example Go application web-identity.go with an example of managing this workflow.

Once the application retrieves the JWT token, use the AssumeRoleWithWebIdentity endpoint to generate the temporary credentials:

POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
&WebIdentityToken=TOKEN
&Version=2011-06-15
&DurationSeconds=86400
&Policy=Policy

  • Replace minio.example.net with the hostname or URL of the MinIO Tenant service.

  • Replace the TOKEN with the JWT token returned in the previous step.

  • Replace the DurationSeconds with the duration in seconds until the temporary credentials expire. The example above specifies a period of 86400 seconds, or 24 hours.

  • Replace the Policy with an inline URL-encoded JSON policy that further restricts the permissions associated to the temporary credentials.

    Omit to use the policy associated to the OpenID user policy claim.

The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.

See the AssumeRoleWithWebIdentity for reference documentation.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License