Identity and Access Management
MinIO requires the client perform both authentication and authorization for each new operation.
- Authentication
The process of verifying the identity of a connecting client. MinIO requires clients authenticate using AWS Signature Version 4 protocol with support for the deprecated Signature Version 2 protocol. Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as
PUT
,GET
, andDELETE
operations.- Authorization
The process of restricting the actions and resources the authenticated client can perform on the deployment. MinIO uses Policy-Based Access Control (PBAC), where each policy describes one or more rules that outline the permissions of a user or group of users. MinIO supports S3-specific actions and conditions when creating policies. By default, MinIO denies access to actions or resources not explicitly referenced in a user’s assigned or inherited policies.
Identity Management
MinIO supports both internal and external identity management:
Once authenticated, MinIO either allows or rejects the client request depending on whether or not the authenticated identity is authorized to perform the operation on the specified resource.
Access Management
MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions and conditions that outline the permissions of a user or group of users.
MinIO manages the creation and storage of policies. The process for assigning a policy to a user or group depends on the configured IDentity Provider (IDP).
MinIO deployments using the MinIO Internal IDP
require explicitly associating a user to a policy or policies using the
mc admin policy attach
command. A user can also inherit the policies
attached to the groups in which they have membership.
By default, MinIO denies access to actions or resources not explicitly allowed by an attached or inherited policy. A user with no explicitly assigned or inherited policies cannot perform any S3 or MinIO administrative API operations.
For MinIO deployments using an External IDP, policy assignment depends on the choice of IDP:
MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the IAM documentation for more complete documentation on IAM, IAM policies, or IAM JSON syntax.
Deny
overrides Allow
MinIO follows AWS IAM policy evaluation rules where a Deny
rule overrides
Allow
rule on the same action/resource. For example, if a user has an
explicitly assigned policy with an Allow
rule for an action/resource
while one of its groups has an assigned policy with a Deny
rule for that
action/resource, MinIO would apply only the Deny
rule.
For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.