Access Management

Overview

MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions and conditions that outline the permissions of a user or group of users.

MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the IAM documentation for more complete documentation on AWS IAM-specific topics.

The mc admin policy command supports creation and management of policies on the MinIO deployment. See the command reference for examples of usage.

Tag-Based Policy Conditions

Changed in version RELEASE.2022-10-02T19-29-29Z: Policies can use conditions to limit a user’s access only to objects with a specific tag.

MinIO supports tag-based conditionals for policies for selected actions. Use the s3:ExistingObjectTag/<key> in the Condition statement of the policy.

Built-In Policies

MinIO provides the following built-in policies for assigning to users or groups:

consoleAdmin

Grants complete access to all S3 and administrative API operations against all resources on the MinIO deployment. Equivalent to the following set of actions:

s3:*
admin:*

readonly

Grants read-only permissions on any object on the MinIO deployment. The GET action must apply to a specific object without requiring any listing. Equivalent to the following set of actions:

s3:GetBucketLocation
s3:GetObject

For example, this policy specifically supports GET operations on objects at a specific path (e.g. GET play/mybucket/object.file), such as:

The exclusion of listing permissions is intentional, as typical use cases do not intend for a “read-only” role to have complete discoverability (listing all buckets and objects) on the object storage resource.

readwrite: Grants read and write permissions for all buckets and objects on the MinIO server. Equivalent to s3:*.

diagnostics

Grants permission to perform diagnostic actions on the MinIO deployment. Specifically includes the following actions:

admin:ServerTrace
admin:Profiling
admin:ConsoleLog
admin:ServerInfo
admin:TopLocksInfo
admin:OBDInfo
admin:BandwidthMonitor
admin:Prometheus

writeonly: Grants write-only permissions to any namespace (bucket and path to object) the MinIO deployment. The PUT action must apply to a specific object location without requiring any listing. Equivalent to the s3:PutObject action.

Use mc admin policy attach to associate a policy to a user or group on a MinIO deployment.

For example, consider the following table of users. Each user is assigned a built-in policy or a supported action. The table describes a subset of operations a client could perform if authenticated as that user:

User	Policy	Operations
`Operations`	`readwrite` on `finance` bucket `readonly` on `audit` bucket	`PUT` and `GET` on `finance` bucket. `GET` on `audit` bucket
`Auditing`	`readonly` on `audit` bucket	`GET` on `audit` bucket
`Admin`	`admin:*`	All `mc admin` commands.

Each user can access only those resources and operations which are explicitly granted by the built-in role. MinIO denies access to any other resource or action by default.

Deny overrides Allow

MinIO follows the IAM policy evaluation rules where a Deny rule overrides Allow rule on the same action/resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.

Policy Document Structure

MinIO policy documents use the same schema as AWS IAM Policy documents.

The following sample document provides a template for creating custom policies for use with a MinIO deployment. For more complete documentation on IAM policy elements, see the IAM JSON Policy Elements Reference.

The maximum size for any single policy document is 20KiB. There is no limit to the number of policy documents that can be attached to a user or group.

{
   "Version" : "2012-10-17",
   "Statement" : [
      {
         "Effect" : "Allow",
         "Action" : [ "s3:<ActionName>", ... ],
         "Resource" : "arn:aws:s3:::*",
         "Condition" : { ... }
      },
      {
         "Effect" : "Deny",
         "Action" : [ "s3:<ActionName>", ... ],
         "Resource" : "arn:aws:s3:::*",
         "Condition" : { ... }
      }
   ]
}

For the Statement.Action array, specify one or more supported S3 API operations.
For the Statement.Resource key, specify the bucket or bucket prefix to which to restrict the policy. You can use * and ? wildcard characters as per the S3 Resource Spec.

The * wildcard may result in unintended application of a policy to multiple buckets or prefixes based on the pattern match. For example, arn:aws:s3:::data* would match the buckets data, data_private, and data_internal. Specifying only * as the resource key applies the policy to all buckets and prefixes on the deployment.
For the Statement.Condition key, you can specify one or more supported Conditions.

Supported S3 Policy Actions

MinIO policy documents support a subset of IAM S3 Action keys. This section also includes any condition keys supported by a specific action beyond the common set of supported keys.

The following actions control access to common S3 operations. The remaining subsections document actions for more advanced S3 operations:

s3:*: Selector for all MinIO S3 operations. Applying this action to a given resource allows the user to perform any S3 operation against that resource.

s3:CreateBucket: Controls access to the CreateBucket S3 API operation.

s3:DeleteBucket: Controls access to the DeleteBucket S3 API operation.

s3:ForceDeleteBucket: Controls access to the DeleteBucket S3 API operation for operations with the x-minio-force-delete flag. Required for removing non-empty buckets.

s3:GetBucketLocation: Controls access to the GetBucketLocation S3 API operation.

s3:ListAllMyBuckets: Controls access to the ListBuckets S3 API operation.

s3:DeleteObject: Controls access to the DeleteObject S3 API operation.

s3:GetObject

Controls access to the GetObject S3 API operation.

Supports the following additional condition keys:

s3:x-amz-server-side-encryption
s3:x-amz-server-side-encryption-customer-algorithm
s3:ExistingObjectTag/<key>
s3:versionid

s3:ListBucket

Controls access to the ListObjectsV2 S3 API operation.

Supports the following additional condition keys:

s3:prefix
s3:delimiter
s3:max-keys

s3:PutObject

Controls access to the PutObject S3 API operation.

Supports the following additional condition keys:

s3:x-amz-copy-source
s3:x-amz-server-side-encryption
s3:x-amz-server-side-encryption-customer-algorithm
s3:x-amz-metadata-directive
s3:x-amz-storage-class
s3:versionid
s3:object-lock-retain-until-date
s3:object-lock-mode
s3:object-lock-legal-hold
s3:RequestObjectTagKeys
s3:RequestObjectTag/<key>

s3:PutObjectTagging

Controls access to the PutObjectTagging S3 API operation.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>
s3:RequestObjectTagKeys
s3:RequestObjectTag/<key>

s3:GetObjectTagging

Controls access to the GetObjectTagging S3 API operation.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

s3:DeleteObjectTagging

Controls access to the DeleteObjectTagging S3 API operation.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

Bucket Configuration

s3:GetBucketPolicy: Controls access to the GetBucketPolicy S3 API operation.

s3:PutBucketPolicy: Controls access to the PutBucketPolicy S3 API operation.

s3:DeleteBucketPolicy: Controls access to the DeleteBucketPolicy S3 API operation.

s3:GetBucketTagging: Controls access to the GetBucketTagging S3 API operation.

s3:PutBucketTagging

Controls access to the PutBucketTagging S3 API operation.

Supports the following additional condition keys:

s3:RequestObjectTagKeys
s3:RequestObjectTag/<key>

Multipart Upload

s3:AbortMultipartUpload: Controls access to the AbortMultipartUpload S3 API operation.

s3:ListMultipartUploadParts: Controls access to the ListParts S3 API operation.

s3:ListBucketMultipartUploads: Controls access to the ListMultipartUploads S3 API operation.

Versioning and Retention

s3:PutBucketVersioning: Controls access to the PutBucketVersioning S3 API operation.

s3:GetBucketVersioning: Controls access to the GetBucketVersioning S3 API operation.

s3:DeleteObjectVersion

Controls access to the DeleteObjectVersion S3 API operation.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

s3:ListBucketVersions

Controls access to the ListBucketVersions S3 API operation.

Supports the following additional condition keys:

s3:prefix
s3:delimiter
s3:max-keys

s3:PutObjectVersionTagging

Controls access to the PutObjectVersionTagging S3 API operation.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>
s3:RequestObjectTagKeys
s3:RequestObjectTag/<key>

s3:GetObjectVersionTagging

Controls access to the GetObjectVersionTagging S3 API operation.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

s3:DeleteObjectVersionTagging

Controls access to the DeleteObjectVersionTagging S3 API operation.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

s3:GetObjectVersion

Controls access to the GetObjectVersion S3 API operation.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

s3:BypassGovernanceRetention

Controls access to the following S3 API operations on objects locked under GOVERNANCE retention mode:

s3:PutObjectRetention
s3:PutObject
s3:DeleteObject

See the S3 documentation on s3:BypassGovernanceRetention for more information.

Supports the following additional condition keys:

s3:versionid
s3:object-lock-remaining-retention-days
s3:object-lock-retain-until-date
s3:object-lock-mode
s3:object-lock-legal-hold
s3:RequestObjectTagKeys
s3:RequestObjectTag/<key>

s3:PutObjectRetention

Controls access to the PutObjectRetention S3 API operation.

Required for any PutObject operation that specifies retention metadata.

Supports the following additional condition keys:

s3:x-amz-server-side-encryption
s3:x-amz-server-side-encryption-customer-algorithm
s3:x-amz-object-lock-remaining-retention-days
s3:x-amz-object-lock-retain-until-date
s3:x-amz-object-lock-mode
s3:versionid

s3:GetObjectRetention

Controls access to the GetObjectRetention S3 API operation.

Required for including object locking metadata as part of the response to a GetObject or HeadObject operation.

Supports the following additional condition keys:

s3:x-amz-server-side-encryption
s3:x-amz-server-side-encryption-customer-algorithm
s3:versionid

s3:GetObjectLegalHold

Controls access to the GetObjectLegalHold S3 API operation.

Required for including object locking metadata as part of the response to a GetObject or HeadObject operation.

s3:PutObjectLegalHold

Controls access to the PutObjectLegalHold S3 API operation.

Required for any PutObject operation that specifies legal hold metadata.

Supports the following additional condition keys:

s3:x-amz-server-side-encryption
s3:x-amz-server-side-encryption-customer-algorithm
s3:object-lock-legal-hold
s3:versionid

s3:GetBucketObjectLockConfiguration: Controls access to the GetObjectLockConfiguration S3 API operation.

s3:PutBucketObjectLockConfiguration: Controls access to the PutObjectLockConfiguration S3 API operation.

Bucket Notifications

s3:GetBucketNotification: Controls access to the GetBucketNotification S3 API operation.

s3:PutBucketNotification: Controls access to the PutBucketNotification S3 API operation.

s3:ListenNotification

MinIO Extension for controlling API operations related to MinIO Bucket Notifications.

This action is not intended for use with other S3-compatible services.

s3:ListenBucketNotification

MinIO Extension for controlling API operations related to MinIO Bucket Notifications.

This action is not intended for use with other S3-compatible services.

Object Lifecycle Management

s3:PutLifecycleConfiguration: Controls access to the PutLifecycleConfiguration S3 API operation.

s3:GetLifecycleConfiguration: Controls access to the GetLifecycleConfiguration S3 API operation.

Object Encryption

s3:PutEncryptionConfiguration: Controls access to the PutEncryptionConfiguration S3 API operation.

s3:GetEncryptionConfiguration: Controls access to the GetEncryptionConfiguration S3 API operation.

Bucket Replication

s3:GetReplicationConfiguration: Controls access to the GetBucketReplication S3 API operation.

s3:PutReplicationConfiguration: Controls access to the PutBucketReplication S3 API operation.

s3:ReplicateObject

MinIO Extension for controlling API operations related to Server-Side Bucket Replication.

Required for MinIO server-side replication.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

s3:ReplicateDelete

MinIO Extension for controlling API operations related to Server-Side Bucket Replication.

Required for synchronizing delete operations as part of MinIO server-side replication.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

s3:ReplicateTags

MinIO Extension for controlling API operations related to Server-Side Bucket Replication.

Required for MinIO server-side replication.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

s3:GetObjectVersionForReplication

MinIO Extension for controlling API operations related to Server-Side Bucket Replication.

Required for MinIO server-side replication.

Supports the following additional condition keys:

s3:versionid
s3:ExistingObjectTag/<key>

Supported S3 Policy Condition Keys

MinIO policy documents support IAM conditional statements.

Each condition element consists of operators and condition keys. MinIO supports a subset of IAM condition keys. For complete information on any listed condition key, see the IAM Condition Element Documentation

MinIO supports the following condition keys for all supported actions:

aws:Referer
aws:SourceIp
aws:UserAgent
aws:SecureTransport
aws:CurrentTime
aws:EpochTime
aws:PrincipalType
aws:userid
aws:username
x-amz-content-sha256
s3:signatureAge

Warning

The aws:Referer, aws:SourceIp, and aws.UserAgent keys may be easily spoofed and therefore pose a potential security risk. MinIO recommends only using these condition keys to deny access as a secondary security measure.

Never use these three keys to grant access by themselves.

For additional keys supported by a specific S3 action, see the reference documentation for that action.

MinIO Extended Condition Keys

MinIO extends the S3 standard condition keys with the following extended key:

sts:DurationSeconds

New in version MinIO: SERVER RELEASE.2024-02-06T21-36-22Z

Specify a time in seconds to limit the duration of all Security Token Service credentials generated by AssumeRoleWithWebIdentity.

This value overrides the DurationSeconds field specified to the client.

For example:

{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Effect": "Allow",
            "Action": [
               "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
               "NumericLessThanEquals": {
                  "sts:DurationSeconds": "300"
               }
            }
      }
   ]
}

`mc admin` Policy Action Keys

MinIO supports the following actions for use with defining policies for mc admin operations. These actions are only valid for MinIO deployments and are not intended for use with other S3-compatible services:

admin:*: Selector for all admin action keys.

admin:Heal: Allows heal command

admin:StorageInfo: Allows listing server info

admin:DataUsageInfo: Allows listing data usage info

admin:TopLocksInfo: Allows listing top locks

admin:Profiling: Allows profiling

admin:ServerTrace: Allows listing server trace

admin:ConsoleLog: Allows listing console logs on terminal

admin:KMSCreateKey: Allows creating a new KMS master key

admin:KMSKeyStatus: Allows getting KMS key status

admin:ServerInfo: Allows listing server info

admin:OBDInfo: Allows obtaining cluster on-board diagnostics

admin:ServerUpdate: Allows MinIO binary update

admin:ServiceRestart: Allows restart of MinIO service.

admin:ServiceStop: Allows stopping MinIO service.

admin:ConfigUpdate: Allows MinIO config management

admin:CreateUser: Allows creating MinIO user

admin:DeleteUser: Allows deleting MinIO user

admin:ListUsers: Allows list users permission

admin:EnableUser: Allows enable user permission

admin:DisableUser: Allows disable user permission

admin:GetUser: Allows GET permission on user info

admin:AddUserToGroup: Allows adding user to group permission

admin:RemoveUserFromGroup: Allows removing user to group permission

admin:GetGroup: Allows getting group info

admin:ListGroups: Allows list groups permission

admin:EnableGroup: Allows enable group permission

admin:DisableGroup: Allows disable group permission

admin:CreatePolicy: Allows create policy permission

admin:DeletePolicy: Allows delete policy permission

admin:GetPolicy: Allows get policy permission

admin:AttachUserOrGroupPolicy: Allows attaching a policy to a user/group

admin:ListUserPolicies: Allows listing user policies

admin:CreateServiceAccount: Allows creating MinIO Access Key

admin:UpdateServiceAccount: Allows updating MinIO Access Key

admin:RemoveServiceAccount: Allows deleting MinIO Access Key

admin:ListServiceAccounts: Allows listing MinIO Access Key

admin:SetBucketQuota: Allows setting bucket quota

admin:GetBucketQuota: Allows getting bucket quota

admin:SetBucketTarget: Allows setting bucket target

admin:GetBucketTarget: Allows getting bucket targets

admin:SetTier: Allows creating and modifying remote storage tiers using the mc ilm tier commands.

admin:ListTier: Allows listing configured remote storage tiers using the mc ilm tier commands.

admin:BandwidthMonitor: Allows retrieving metrics related to current bandwidth consumption.

admin:Prometheus: Allows access to MinIO metrics. Only required if MinIO requires authentication for scraping metrics.

admin:ListBatchJobs: Allows access to list the active batch jobs.

admin:DescribeBatchJobs: Allows access to the see the definition details of a running batch job.

admin:StartBatchJob: Allows user to begin a batch job run.

admin:CancelBatchJob: Allows user to stop a batch job currently in process.

admin:Rebalance: Allows access to start, query, or stop a rebalancing of objects across pools with varying free storage space.

`mc admin` Policy Condition Keys

MinIO supports the following conditions for use with defining policies for mc admin actions.

aws:Referer
aws:SourceIp
aws:UserAgent
aws:SecureTransport
aws:CurrentTime
aws:EpochTime

For complete information on any listed condition key, see the IAM Condition Element Documentation.

Policy Variables

MinIO supports using policy variables for automatically substituting context from the authenticated user and/or the operation into the user’s assigned policy or policies. Use the ${POLICYVARIABLE} format to specify the variable to the policy as part of the Condition or Resource definition. MinIO policy variables function similarly to AWS IAM policy elements: Variables and tags.

Each MinIO identity provider supports its own set of policy variables:

MinIO Policy Variables
OpenID Policy Variables
Active Directory / LDAP Policy Variables

MinIO Policy Variables

The following table contains a list of recommended policy variables for use in authorizing MinIO-managed users:

Variable	Description
aws:referrer	The referrer in the HTTP header for the authenticated API call.
aws:SourceIp	The source IP in the HTTP header for the authenticated API call.
aws:username	The name of the user associated with the authenticated API call.

For example, the following policy uses variables to substitute the authenticated user’s username as part of the Resource field such that the user can only access those prefixes which match their username:

{
"Version": "2012-10-17",
"Statement": [
      {
         "Action": ["s3:ListBucket"],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket"],
         "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
      },
      {
         "Action": [
         "s3:GetObject",
         "s3:PutObject"
         ],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
      }
   ]
}

MinIO replaces the ${aws:username} variable in the Resource field with the username. MinIO then evaluates the policy and grants or revokes access to the requested API and resource.

OpenID Policy Variables

The following table contains a list of supported policy variables for use in authorizing OIDC-managed users.

Each variable corresponds to a claim returned as part of the authenticated user’s JWT token:

Variable	Description
`jwt:sub`	Returns the `sub` claim for the user.
`jwt:iss`	Returns the Issuer Identifier claim from the ID token.
`jwt:aud`	Returns the Audience claim from the ID token.
`jwt:jti`	Returns the JWT ID claim from the client authentication information.
`jwt:upn`	Returns the User Principal Name claim from the client authentication information.
`jwt:name`	Returns the `name` claim for the user.
`jwt:groups`	Returns the `groups` claim for the user.
`jwt:given_name`	Returns the `given_name` claim for the user.
`jwt:family_name`	Returns the `family_name` claim for the user.
`jwt:middle_name`	Returns the `middle_name` claim for the user.
`jwt:nickname`	Returns the `nickname` claim for the user.
`jwt:preferred_username`	Returns the `preferred_username` claim for the user.
`jwt:profile`	Returns the `profile` claim for the user.
`jwt:picture`	Returns the `picture` claim for the user.
`jwt:website`	Returns the `website` claim for the user.
`jwt:email`	Returns the `email` claim for the user.
`jwt:gender`	Returns the `gender` claim for the user.
`jwt:birthdate`	Returns the `birthdate` claim for the user.
`jwt:phone_number`	Returns the `phone_number` claim for the user.
`jwt:address`	Returns the `address` claim for the user.
`jwt:scope`	Returns the `scope` claim for the user.
`jwt:client_id`	Returns the `client_id` claim for the user.

See the OpenID Connect Core 1.0 document for more information on these scopes. Your OIDC provider of choice may have more specific documentation.

For example, the following policy uses variables to substitute the authenticated user’s preferred_username as part of the Resource field such that the user can only access those prefixes which match their username:

{
"Version": "2012-10-17",
"Statement": [
      {
         "Action": ["s3:ListBucket"],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket"],
         "Condition": {"StringLike": {"s3:prefix": ["${jwt:preferred_username}/*"]}}
      },
      {
         "Action": [
         "s3:GetObject",
         "s3:PutObject"
         ],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket/${jwt:preferred_username}/*"]
      }
   ]
}

MinIO replaces the ${jwt:preferred_username} variable in the Resource field with the value of the preferred_username in the JWT token. MinIO then evaluates the policy and grants or revokes access to the requested API and resource.

Active Directory / LDAP Policy Variables

The following table contains a list of supported policy variables for use in authorizing AD/LDAP users:

Variable	Description
`ldap:username`	The simple username (`name`) for the authenticated user. This is distinct from the user’s DistinguishedName or CommonName.
`ldap:user`	The Distinguished Name used by the authenticated user.
`ldap:groups`	The Group Distinguished Name for the authenticated user.

For example, the following policy uses variables to substitute the authenticated user’s name as part of the Resource field such that the user can only access those prefixes which match their name:

{
"Version": "2012-10-17",
"Statement": [
      {
         "Action": ["s3:ListBucket"],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket"],
         "Condition": {"StringLike": {"s3:prefix": ["${ldap:username}/*"]}}
      },
      {
         "Action": [
         "s3:GetObject",
         "s3:PutObject"
         ],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket/${ldap:username}/*"]
      }
   ]
}

MinIO replaces the ${ldap:username} variable in the Resource field with the value of the authenticated user’s name. MinIO then evaluates the policy and grants or revokes access to the requested API and resource.