mc admin config

API Configuration

api

The top-level configuration key for modifying API-related operations.

api.root_access

New in version MinIO: Server RELEASE.2023-05-04T21-44-30Z

Specify on to enable and off to disable the root user account. Disabling the root service account also disables all service accounts associated with root, excluding those used by site replication. Defaults to on.

Ensure you have at least one other admin user, such as one with the consoleAdmin policy, before disabling the root account. If you do not have another admin user, disabling the root account locks administrative access to the deployment.

This configuration setting corresponds with the MINIO_API_ROOT_ACCESS environment variable. To reset after an unintentional lock, set MINIO_API_ROOT_ACCESS on to override this setting and temporarily re-enable the root account. You can then change this setting to on or make the necessary user/policy changes to ensure normal administrative access through other non-root accounts.

api.sync_events

Enables synchronous bucket notifications.

Specify on to direct MinIO to wait until the remote target returns success on receipt of an event before processing further events.

Defaults to off, or asynchronous bucket notifications where MinIO does not wait for the remote target to return success on receipt of an event.

This configuration setting corresponds with the MINIO_API_SYNC_EVENTS environment variable.

Scanner

scanner

Configuration settings that affect the scanner process. MinIO utilizes the scanner for bucket replication, site replication, and lifecycle management tasks.

scanner.speed

This configuration setting corresponds with the MINIO_SCANNER_SPEED environment variable.

MinIO utilizes the scanner for bucket replication, site replication, and lifecycle management tasks.

Valid values include:

fastest	Removes scanner wait on read/write latency, allowing the scanner to operate at full-speed and IOPS consumption. This setting may result in reduced read and write performance.
fast	Sets a short scanner wait time on read/write latency, allowing the scanner to operate at a higher speed and IOPS consumption. This setting may result in reduced read and write performance.
default	Sets a moderate scanner wait time on read/write latency, allowing the scanner to operate at a balanced speed and IOPS consumption. This setting seeks to maintain read and write performance while allowing ongoing scanner activity.
slow	Sets a medium scanner wait time on read/write latency, where the scanner operates at a reduced speed and IOPS consumption. This setting allows better read and write performance while reducing scanner performance. May impact scanner-dependent features, such as lifecycle management and replication.
slowest	Sets a large scanner wait time on read/write latency, where the scanner operates at a substantially lower speed and IOPS consumption. This setting prioritizes read and write operations at the potential cost of scanner operations. May impact scanner-dependent features, such as lifecycle management and replication.

HTTP Webhook Log Target

logger_webhook

The top-level configuration key for defining an HTTP webhook target for publishing MinIO logs.

Use mc admin config set to set or update an HTTP webhook target. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set logger_webhook \
   endpoint="http://webhook.example.net" [ARGUMENTS=VALUE ...]

You can specify multiple HTTP webhook targets by appending [:name] to the top-level key. For example, the following commands set two distinct HTTP webhook targets as primary and secondary respectively:

mc admin config set logger_webhook:primary \
   endpoint="http://webhook-01.example.net" [ARGUMENTS=VALUE ...]


mc admin config set logger_webhook:secondary \
   endpoint="http://webhook-02.example.net" [ARGUMENTS=VALUE ...]

The logger_webhook configuration key accepts the following arguments:

logger_webhook.endpoint

Required

The HTTP endpoint of the webhook.

This configuration setting corresponds with the MINIO_LOGGER_WEBHOOK_ENDPOINT environment variable.

logger_webhook.auth_token

Optional

An authentication token of the appropriate type for the endpoint. Omit for endpoints which do not require authentication.

To allow for a variety of token types, MinIO creates the request authentication header using the value exactly as specified. Depending on the endpoint, you may need to include additional information.

For example: for a Bearer token, prepend Bearer:

   mc admin config set myminio logger_webhook   \
      endpoint="https://webhook-1.example.net"  \
      auth_token="Bearer 1a2b3c4f5e"

Modify the value according to the endpoint requirements. A custom authentication format could resemble the following:

   mc admin config set myminio logger_webhook   \
      endpoint="https://webhook-1.example.net"  \
      auth_token="ServiceXYZ 1a2b3c4f5e"

Consult the documenation for the desired service for more details.

This configuration setting corresponds with the MINIO_LOGGER_WEBHOOK_AUTH_TOKEN environment variable.

logger_webhook.client_cert

Optional

The path to the mTLS certificate to use for authenticating to the webhook logger.

This configuration setting corresponds with the MINIO_LOGGER_WEBHOOK_CLIENT_CERT environment variable.

logger_webhook.client_key

Optional

The path to the mTLS certificate key to use to authenticate with the webhook logger service.

This configuration setting corresponds with the MINIO_LOGGER_WEBHOOK_CLIENT_KEY environment variable.

logger_webhook.proxy

New in version MinIO: RELEASE.2023-02-22T18-23-45Z

Optional

Define a proxy to use for the webhook logger when communicating from MinIO to external webhooks.

This configuration setting corresponds with the MINIO_LOGGER_WEBHOOK_PROXY environment variable.

logger_webhook.queue_dir

New in version RELEASE.2023-05-18T00-05-36Z.

Optional

Specify the directory path, such as /opt/minio/events, to enable MinIO’s persistent event store for undelivered messages. The MinIO process must have read, write, and list access on the specified directory.

MinIO stores undelivered events in the specified store while the webhook service is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_LOGGER_WEBHOOK_QUEUE_DIR environment variable.

logger_webhook.queue_size

Optional

An integer value to use for the queue size for logger webhook targets. The default is 100000 events.

This configuration setting corresponds with the MINIO_LOGGER_WEBHOOK_QUEUE_SIZE environment variable.

HTTP Webhook Audit Log Target

audit_webhook

The top-level configuration key for defining an HTTP webhook target for publishing MinIO audit logs.

Use mc admin config set to set or update an HTTP webhook target. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set audit_webhook \
   endpoint="http://webhook.example.net" [ARGUMENTS=VALUE ...]

You can specify multiple HTTP webhook targets by appending [:name] to the top-level key. For example, the following commands set two distinct HTTP webhook targets as primary and secondary respectively:

mc admin config set audit_webhook:primary \
   endpoint="http://webhook-01.example.net" [ARGUMENTS=VALUE ...]


mc admin config set audit_webhook:secondary \
   endpoint="http://webhook-02.example.net" [ARGUMENTS=VALUE ...]

The audit_webhook configuration key accepts the following arguments:

audit_webhook.endpoint

Required

The HTTP endpoint of the webhook.

This configuration setting corresponds with the MINIO_AUDIT_WEBHOOK_ENDPOINT environment variable.

audit_webhook.auth_token

Optional

An authentication token of the appropriate type for the endpoint. Omit for endpoints which do not require authentication.

To allow for a variety of token types, MinIO creates the request authentication header using the value exactly as specified. Depending on the endpoint, you may need to include additional information.

For example: for a Bearer token, prepend Bearer:

mc admin config set myminio audit_webhook       \
         endpoint="http://webhook.example.net"  \
         auth_token="Bearer 1a2b3c4f5e"

Modify the value according to the endpoint requirements. A command for a custom authentication format could resemble the following:

mc admin config set myminio audit_webhook       \
         endpoint="http://webhook.example.net"  \
         auth_token="ServiceXYZ 1a2b3c4f5e"

Consult the documenation for the desired service for more details.

This configuration setting corresponds with the MINIO_AUDIT_WEBHOOK_AUTH_TOKEN environment variable.

audit_webhook.client_cert

Optional

The x.509 client certificate to present to the HTTP webhook. Omit for webhooks which do not require clients to present a known TLS certificate.

Requires specifying client_key.

This configuration setting corresponds with the MINIO_AUDIT_WEBHOOK_CLIENT_CERT environment variable.

audit_webhook.client_key

Optional

The x.509 private key to present to the HTTP webhook. Omit for webhooks which do not require clients to present a known TLS certificate.

Requires specifying client_cert.

This configuration setting corresponds with the MINIO_AUDIT_WEBHOOK_CLIENT_KEY environment variable.

audit_webhook.queue_dir

New in version RELEASE.2023-05-18T00-05-36Z.

Optional

Specify the directory path, such as /opt/minio/events, to enable MinIO’s persistent event store for undelivered messages. The MinIO process must have read, write, and list access on the specified directory.

MinIO stores undelivered events in the specified store while the webhook service is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_AUDIT_WEBHOOK_QUEUE_DIR environment variable.

audit_webhook.queue_size

Optional

An integer value to use for the queue size for webhook targets. The default is 100000 events.

This configuration setting corresponds with the MINIO_AUDIT_WEBHOOK_QUEUE_SIZE environment variable.

Kafka Audit Log Target

audit_kafka

The top-level configuration key for defining a Kafka broker target for publishing MinIO audit logs.

Use mc admin config set to set or update a Kafka audit target. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set audit_kafka \
   brokers="https://kafka-endpoint.example.net:9092" [ARGUMENTS=VALUE ...]

The audit_kafka configuration key accepts the following arguments:

audit_kafka brokers

Required

A comma-separated list of Kafka broker addresses:

brokers="https://kafka-1.example.net:9092,https://kafka-2.example.net:9092"

At least one broker must be online and reachable by the MinIO server to initialize and send audit log events. MinIO checks each specified broker in order of specification.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_BROKERS environment variable.

audit_kafka topic

Required

The name of the Kafka topic to associate to MinIO audit log events.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_TOPIC environment variable.

audit_kafka tls

Optional

Set to "on" to enable TLS connectivity to the specified Kafka brokers.

Defaults to "off".

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_TLS environment variable.

audit_kafka tls_skip_verify

Optional

Set to "on" to direct MinIO to skip verification of the Kafka broker TLS certificates.

You can use this option for enabling connectivity to Kafka brokers using TLS certificates signed by unknown parties, such as self-signed or corporate-internal Certificate Authorities (CA).

MinIO by default uses the system trust store and the contents of the MinIO CA directory for verifying remote client TLS certificates.

Defaults to "off" for strict verification of TLS certificates.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_TLS_SKIP_VERIFY environment variable.

audit_kafka tls_client_auth

Optional

Set to "on" to direct MinIO to use mTLS to authenticate against the Kafka brokers.

Requires specifying client_tls_cert and client_tls_key.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_TLS_CLIENT_AUTH environment variable.

audit_kafka client_tls_cert

Optional

The path to the TLS client certificate to use for mTLS authentication.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_CLIENT_TLS_CERT environment variable.

audit_kafka client_tls_key

Optional

The path to the TLS client private key to use for mTLS authentication.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_CLIENT_TLS_KEY environment variable.

audit_kafka sasl

Optional

Set to "on" to direct MinIO to use SASL to authenticate against the Kafka brokers.

Requires specifying sasl_username and sasl_password.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_SASL environment variable.

audit_kafka sasl_username

Optional

The SASL username MinIO uses for authentication against the Kafka brokers.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_SASL_USERNAME environment variable.

audit_kafka sasl_password

Optional

The SASL password MinIO uses for authentication against the Kafka brokers.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_SASL_PASSWORD environment variable.

audit_kafka sasl_mechanism

Optional

The SASL mechanism MinIO uses for authentication against the Kafka brokers.

Defaults to plain.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_SASL_MECHANISM environment variable.

Important

The PLAIN authentication mechanism sends credentials in plain text over the network. Use tls to enable TLS connectivity to the Kafka brokers and ensure secure transmission of SASL credentials.

audit_kafka version

Optional

The version of the Kafka broker MinIO expects at the specified endpoints.

MinIO returns an error if the Kakfa broker verison does not match those specified to this setting.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_VERSION environment variable.

audit_kafka comment

Optional

A comment to associate with the configuration.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_COMMENT environment variable.

audit_kafka queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the Kafka service is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_QUEUE_DIR environment variable.

audit_kafka queue_size

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_AUDIT_KAFKA_QUEUE_SIZE environment variable.

AMQP Service for Bucket Notifications

The following section documents settings for configuring an AMQP service as a target for Bucket Nofitications. See Publish Events to AMQP (RabbitMQ) for a tutorial on using these environment variables.

notify_amqp

The top-level configuration key for defining an AMQP service endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an AMQP service endpoint. The url argument is required for each target. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_amqp \
  url="amqp://user:password@endpoint:port" \
  [ARGUMENT="VALUE"] ... \

You can specify multiple AMQP service endpoints by appending [:name] to the top level key. For example, the following commands set two distinct AMQP service endpoints as primary and secondary respectively:

mc admin config set notify_amqp:primary \
   url="user:password@amqp://endpoint:port" [ARGUMENT=VALUE ...]

mc admin config set notify_amqp:secondary \
   url="user:password@amqp://endpoint:port" [ARGUMENT=VALUE ...]

The notify_amqp configuration key supports the following arguments:

notify_amqp url

Required

Specify the AMQP server endpoint to which MinIO publishes bucket events. For example, amqp://myuser:mypassword@localhost:5672.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_URL environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_amqp exchange

Optional

Specify the name of the AMQP exchange to use.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_EXCHANGE environment variable.

notify_amqp exchange_type

Optional

Specify the type of the AMQP exchange.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_EXCHANGE_TYPE environment variable.

notify_amqp routing_key

Optional

Specify the routing key for publishing events.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_ROUTING_KEY environment variable.

notify_amqp mandatory

Optional

Specify off to ignore undelivered messages errors. Defaults to on.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_MANDATORY environment variable.

notify_amqp durable

Optional

Specify on to persist the message queue across broker restarts. Defaults to ‘off’.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_DURABLE environment variable.

notify_amqp no_wait

Optional

Specify on to enable non-blocking message delivery. Defaults to ‘off’.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_NO_WAIT environment variable.

notify_amqp internal

Optional

Specify on to use the exchange only if it is bound to other exchanges. See the RabbitMQ documentation on Exchange to Exchange Bindings for more information on AMQP exchange binding.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_INTERNAL environment variable.

notify_amqp auto_deleted

Optional

Specify on to automatically delete the message queue if there are no consumers. Defaults to off.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_AUTO_DELETED environment variable.

notify_amqp delivery_mode

Optional

Specify 1 for set the delivery mode to non-persistent queue.

Specify 2 to set the delivery mode to persistent queue.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_DELIVERY_MODE environment variable.

notify_amqp queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the AMQP service is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_QUEUE_DIR environment variable.

notify_amqp queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_QUEUE_LIMIT environment variable.

notify_amqp comment

Optional

Specify a comment for the AMQP configuration.

This configuration setting corresponds with the MINIO_NOTIFY_AMQP_COMMENT environment variable.

MQTT Service for Bucket Notifications

The following section documents settings for configuring an MQTT server/broker as a publishing target for Bucket Nofitications. See Publish Events to MQTT for a tutorial on using these configuration settings.

notify_mqtt

The top-level configuration key for defining an MQTT server/broker endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an MQTT server/broker endpoint. The following arguments are required for each endpoint:

• broker

• topic

• username Optional if MQTT server/broker does not enforce authentication/authorization

• password Optional if MQTT server/broker does not enforce authentication/authorization

Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_mqtt \
   broker="tcp://endpoint:port" \
   topic="minio/bucket-name/events/" \
   username="username" \
   password="password" \
   [ARGUMENT="VALUE"] ... \

You can specify multiple MQTT server/broker endpoints by appending [:name] to the top level key. For example, the following commands set two distinct MQTT service endpoints as primary and secondary respectively:

mc admin config set notify_mqtt:primary \
   broker="tcp://endpoint:port" \
   topic="minio/bucket-name/events/" \
   username="username" \
   password="password" \
   [ARGUMENT="VALUE"] ... \

mc admin config set notify_mqtt:secondary \
   broker="tcp://endpoint:port" \
   topic="minio/bucket-name/events/" \
   username="username" \
   password="password" \
   [ARGUMENT="VALUE"] ... \

The notify_mqtt configuration key supports the following arguments:

notify_mqtt broker

Required

Specify the MQTT server/broker endpoint. MinIO supports TCP, TLS, or Websocket connections to the server/broker URL. For example:

• tcp://mqtt.example.net:1883

• tls://mqtt.example.net:1883

• ws://mqtt.example.net:1883

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_BROKER environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_mqtt topic

Required

Specify the name of the MQTT topic to associate with events published by MinIO to the MQTT endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_TOPIC environment variable.

notify_mqtt username

Required if the MQTT server/broker enforces authentication/authorization

Specify the MQTT username with which MinIO authenticates to the MQTT server/broker.

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_TOPIC environment variable.

notify_mqtt password

Required if the MQTT server/broker enforces authentication/authorization

Specify the password for the MQTT username with which MinIO authenticates to the MQTT server/broker.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_PASSWORD environment variable.

notify_mqtt qos

Optional

Specify the Quality of Service priority for the published events.

Defaults to 0.

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_QOS environment variable.

notify_mqtt keep_alive_interval

Optional

Specify the keep-alive interval for the MQTT connections. MinIO supports the following units of time measurement:

• s - seconds, “60s”

• m - minutes, “60m”

• h - hours, “24h”

• d - days, “7d”

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_KEEP_ALIVE_INTERVAL environment variable.

notify_mqtt reconnect_interval

Optional

Specify the reconnect interval for the MQTT connections. MinIO supports the following units of time measurement:

• s - seconds, “60s”

• m - minutes, “60m”

• h - hours, “24h”

• d - days, “7d”

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_RECONNECT_INTERVAL environment variable.

notify_mqtt queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the MQTT server/broker is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_QUEUE_DIR environment variable.

notify_mqtt queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_QUEUE_LIMIT environment variable.

notify_mqtt comment

Optional

Specify a comment to associate with the MQTT configuration.

This configuration setting corresponds with the MINIO_NOTIFY_MQTT_COMMENT environment variable.

Elasticsearch Service for Bucket Notifications

The following section documents settings for configuring an Elasticsearch service as a target for Bucket Nofitications. See Publish Events to Elasticsearch for a tutorial on using these configuration settings.

notify_elasticsearch

The top-level configuration key for defining an Elasticsearch service endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an Elasticsearch service endpoint. The following arguments are required for each target:

• url

• index

• format

Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_elasticsearch \
  url="https://user:password@endpoint:port" \
  [ARGUMENT="VALUE"] ... \

You can specify multiple Elasticsearch service endpoints by appending [:name] to the top level key. For example, the following commands set two distinct Elasticsearch service endpoints as primary and secondary respectively:

mc admin config set notify_elasticsearch:primary \
   url="user:password@https://endpoint:port" [ARGUMENT=VALUE ...]

mc admin config set notify_elasticsearch:secondary \
   url="user:password@https://endpoint:port" [ARGUMENT=VALUE ...]

The notify_elasticsearch configuration key supports the following arguments:

notify_elasticsearch url

Required

Specify the Elasticsearch service endpoint to which MinIO publishes bucket events. For example, https://elasticsearch.example.com:9200.

MinIO supports passing authentication information using as URL parameters using the format PROTOCOL://USERNAME:PASSWORD@HOSTNAME:PORT.

This configuration setting corresponds with the MINIO_NOTIFY_ELASTICSEARCH_URL environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_elasticsearch index

Required

Specify the name of the Elasticsearch index in which to store or update MinIO bucket events. Elasticsearch automatically creates the index if it does not exist.

This configuration setting corresponds with the MINIO_NOTIFY_ELASTICSEARCH_INDEX environment variable.

notify_elasticsearch format

Required

Specify the format of event data written to the Elasticsearch index. MinIO supports the following values:

namespace

For each bucket event, the MinIO creates a JSON document with the bucket and object name from the event as the document ID and the actual event as part of the document body. Additional updates to that object modify the existing index entry for that object. Similarly, deleting the object also deletes the corresponding index entry.

access

For each bucket event, MinIO creates a JSON document with the event details and appends it to the index with an Elasticsearch-generated random ID. Additional updates to an object result in new index entries, and existing entries remain unmodified.

This configuration setting corresponds with the MINIO_NOTIFY_ELASTICSEARCH_FORMAT environment variable.

notify_elasticsearch username

Optional

The username for connecting to an Elasticsearch service endpoint which enforces authentication.

This configuration setting corresponds with the MINIO_NOTIFY_ELASTICSEARCH_USERNAME environment variable.

notify_elasticsearch password

Optional

The password for connecting to an Elasticsearch service endpoint which enforces authentication.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_NOTIFY_ELASTICSEARCH_PASSWORD environment variable.

notify_elasticsearch queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the Elasticsearch service is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_ELASTICSEARCH_QUEUE_DIR environment variable.

notify_elasticsearch queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_ELASTICSEARCH_QUEUE_LIMIT environment variable.

notify_elasticsearch comment

Optional

Specify a comment to associate with the Elasticsearch configuration.

This configuration setting corresponds with the MINIO_NOTIFY_ELASTICSEARCH_COMMENT environment variable.

NSQ Service for Bucket Notifications

The following section documents settings for configuring an NSQ server/broker as a publishing target for Bucket Nofitications. See Publish Events to NSQ for a tutorial on using these configuration settings.

notify_nsq

The top-level configuration key for defining an NSQ server/broker endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an NSQ server/broker endpoint. The following arguments are required for each endpoint:

• nsqd_address

• topic

Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_nsq \
   nsqd_address="ENDPOINT" \
   topic="<string>" \
   [ARGUMENT="VALUE"] ... \

You can specify multiple NSQ server/broker endpoints by appending [:name] to the top level key. For example, the following commands set two distinct NSQ service endpoints as primary and secondary respectively:

mc admin config set notify_nsq:primary \
   nsqd_address="ENDPOINT" \
   topic="<string>" \
   [ARGUMENT="VALUE"] ... \

mc admin config set notify_nsq:secondary \
   nsqd_address="ENDPOINT" \
   topic="<string>" \
   [ARGUMENT="VALUE"] ... \

The notify_nsq configuration key supports the following arguments:

notify_nsq nsqd_address

Required

Specify the NSQ server address. For example:

https://nsq-endpoing.example.net:4150

This configuration setting corresponds with the MINIO_NOTIFY_NSQ_NSQD_ADDRESS environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_nsq topic

Required

Specify the name of the NSQ topic MinIO uses when publishing events to the broker.

This configuration setting corresponds with the MINIO_NOTIFY_NSQ_TOPIC environment variable.

notify_nsq tls

Optional

Specify on to enable TLS connectivity to the NSQ service broker.

This configuration setting corresponds with the MINIO_NOTIFY_NSQ_TLS environment variable.

notify_nsq tls_skip_verify

Optional

Enables or disables TLS verification of the NSQ service broker TLS certificates.

• Specify on to disable TLS verification (Default).

• Specify off to enable TLS verification.

This configuration setting corresponds with the MINIO_NOTIFY_NSQ_TLS_SKIP_VERIFY environment variable.

notify_nsq queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the NSQ server/broker is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_NSQ_QUEUE_DIR environment variable.

notify_nsq queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_NSQ_QUEUE_LIMIT environment variable.

notify_nsq comment

Optional

Specify a comment to associate with the NSQ configuration.

This configuration setting corresponds with the MINIO_NOTIFY_NSQ_COMMENT environment variable.

Redis Service for Bucket Notifications

The following section documents settings for configuring an Redis server/broker as a publishing target for Bucket Nofitications. See Publish Events to Redis for a tutorial on using these configuration settings.

notify_redis

The top-level configuration key for defining an Redis server/broker endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an Redis server/broker endpoint. The following arguments are required for each endpoint:

• address

• key

• format

Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_redis \
   address="ENDPOINT" \
   key="<string>" \
   format="<string>" \
   [ARGUMENT="VALUE"] ... \

You can specify multiple Redis server/broker endpoints by appending [:name] to the top level key. For example, the following commands set two distinct Redis service endpoints as primary and secondary respectively:

mc admin config set notify_redis:primary \
   address="ENDPOINT" \
   key="<string>" \
   format="<string>" \
   [ARGUMENT="VALUE"] ... \

mc admin config set notify_redis:secondary \
   address="ENDPOINT" \
   key="<string>" \
   format="<string>" \
   [ARGUMENT="VALUE"] ... \

The notify_redis configuration key supports the following arguments:

notify_redis address

Required

Specify the Redis service endpoint to which MinIO publishes bucket events. For example, https://redis.example.com:6369.

This configuration setting corresponds with the MINIO_NOTIFY_REDIS_ADDRESS environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_redis key

Required

Specify the Redis key to use for storing and updating events. Redis auto-creates the key if it does not exist.

This configuration setting corresponds with the MINIO_NOTIFY_REDIS_KEY environment variable.

notify_redis format

Required

Specify the format of event data written to the Redis service endpoint. MinIO supports the following values:

namespace

For each bucket event, the MinIO creates a JSON document with the bucket and object name from the event as the document ID and the actual event as part of the document body. Additional updates to that object modify the existing index entry for that object. Similarly, deleting the object also deletes the corresponding index entry.

access

For each bucket event, MinIO creates a JSON document with the event details and appends it to the key with a Redis-generated random ID. Additional updates to an object result in new index entries, and existing entries remain unmodified.

This configuration setting corresponds with the MINIO_NOTIFY_REDIS_FORMAT environment variable.

notify_redis password

Optional

Specify the password for the Redis server.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_NOTIFY_REDIS_PASSWORD environment variable.

notify_redis queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the Redis server/broker is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_REDIS_QUEUE_DIR environment variable.

notify_redis queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_REDIS_QUEUE_LIMIT environment variable.

notify_redis comment

Optional

Specify a comment to associate with the Redis configuration.

This configuration setting corresponds with the MINIO_NOTIFY_REDIS_COMMENT environment variable.

NATS Service for Bucket Notifications

The following section documents settings for configuring an NATS service as a target for Bucket Nofitications. See Publish Events to NATS for a tutorial on using these environment variables.

notify_nats

The top-level configuration key for defining an NATS service endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an NATS service endpoint. The address and subject arguments are required for each target. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_nats \
  address="htpps://nats-endpoint.example.com:4222" \
  subject="minioevents" \
  [ARGUMENT="VALUE"] ... \

You can specify multiple NATS service endpoints by appending [:name] to the top level key. For example, the following commands set two distinct NATS service endpoints as primary and secondary respectively:

mc admin config set notify_nats:primary \
   address="htpps://nats-endpoint.example.com:4222" \
   subject="minioevents" \
   [ARGUMENT=VALUE ...]

mc admin config set notify_nats:secondary \
   address="htpps://nats-endpoint.example.com:4222" \
   subject="minioevents" \
   [ARGUMENT=VALUE ...]

The notify_nats configuration key supports the following arguments:

notify_nats address

Required

Specify the NATS service endpoint to which MinIO publishes bucket events. For example, https://nats-endpoint.example.com:4222.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_ADDRESS environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_nats subject

Required

Specify the subscription to which MinIO associates events published to the NATS endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_SUBJECT environment variable.

notify_nats username

Optional

Specify the username for connecting to the NATS service endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_USERNAME environment variable.

notify_nats password

Optional

Specify the passport for connecting to the NATS service endpoint.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_PASSWORD environment variable.

notify_nats token

Optional

Specify the token for connecting to the NATS service endpoint.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_TOKEN environment variable.

notify_natstls

Optional”

Specify on to enable TLS connectivity to the NATS service endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_TLS environment variable.

notify_nats tls_skip_verify

Optional

Enables or disables TLS verification of the NATS service endpoint TLS certificates.

• Specify on to disable TLS verification (Default).

• Specify off to enable TLS verification.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_TLS_SKIP_VERIFY environment variable.

notify_nats ping_interval

Optional

Specify the duration interval for client pings to the NATS server. MinIO supports the following time units:

• s - seconds, "60s"

• m - minutes, "5m"

• h - hours, "1h"

• d - days, "1d"

This configuration setting corresponds with the MINIO_NOTIFY_NATS_PING_INTERVAL environment variable.

notify_nats jetstream

Optional

Specify on to enable asynchronous publishing of events to the NATS service endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_JETSTREAM environment variable.

notify_nats streaming

Deprecated

Optional

Specify on to enable JetStream support for streaming events to a NATS JetStream service endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_STREAMING environment variable.

notify_nats streaming_async

Deprecated

Optional

Specify on to enable asynchronous publishing of events to the NATS service endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_STREAMING_ASYNC environment variable.

notify_nats streaming_max_pub_acks_in_flight

Deprecated

Optional

Specify the number of messages to publish without waiting for an ACK response from the NATS service endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_STREAMING_MAX_PUB_ACKS_IN_FLIGHT environment variable.

notify_nats streaming_cluster_id

Deprecated

Optional

Specify the unique ID for the NATS streaming cluster.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_STREAMING_CLUSTER_ID environment variable.

notify_nats cert_authority

Optional

Specify the path to the Certificate Authority chain used to sign the NATS service endpoint TLS certificates.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_CERT_AUTHORITY environment variable.

notify_nats client_cert

Optional

Specify the path to the client certificate to use for performing mTLS authentication to the NATS service endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_CLIENT_CERT environment variable.

notify_nats client_key

Optional

Specify the path to the client private key to use for performing mTLS authentication to the NATS service endpoint.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_CLIENT_KEY environment variable.

notify_nats queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the NATS server/broker is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_QUEUE_DIR environment variable.

notify_nats queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_QUEUE_LIMIT environment variable.

notify_nats comment

Optional

Specify a comment to associate with the NATS configuration.

This configuration setting corresponds with the MINIO_NOTIFY_NATS_COMMENT environment variable.

PostgreSQL Service for Bucket Notifications

The following section documents settings for configuring an PostgreSQL service as a target for Bucket Nofitications. See Publish Events to PostgreSQL for a tutorial on using these environment variables.

notify_postgres

The top-level configuration key for defining an PostgreSQL service endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an PostgreSQL service endpoint. The following arguments are required for each target:

• connection_string

• table

• format

Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_postgres \
  connection_string="host=postgresql.example.com port=5432..."
  table="minioevents" \
  format="namespace" \
  [ARGUMENT="VALUE"] ... \

You can specify multiple PostgreSQL service endpoints by appending [:name] to the top level key. For example, the following commands set two distinct PostgreSQL service endpoints as primary and secondary respectively:

mc admin config set notify_postgres:primary \
   connection_string="host=postgresql.example.com port=5432..."
   table="minioevents" \
   format="namespace" \
   [ARGUMENT=VALUE ...]

mc admin config set notify_postgres:secondary \
   connection_string="host=postgresql.example.com port=5432..."
   table="minioevents" \
   format="namespace" \
   [ARGUMENT=VALUE ...]

The notify_postgres configuration key supports the following arguments:

notify_postgres connection_string

Required

Specify the URI connection string of the PostgreSQL service endpoint. MinIO supports key=value format for the PostgreSQL connection string. For example:

"host=https://postgresql.example.com port=5432 ..."

For more complete documentation on supported PostgreSQL connection string parameters, see the PostgreSQL COnnection Strings documentation .

This configuration setting corresponds with the MINIO_NOTIFY_POSTGRES_CONNECTION_STRING environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_postgres table

Required

Specify the name of the PostgreSQL table to which MinIO publishes event notifications.

This configuration setting corresponds with the MINIO_NOTIFY_POSTGRES_TABLE environment variable.

notify_postgres format

Required

Specify the format of event data written to the PostgreSQL service endpoint. MinIO supports the following values:

namespace

For each bucket event, the MinIO creates a JSON document with the bucket and object name from the event as the document ID and the actual event as part of the document body. Additional updates to that object modify the existing table entry for that object. Similarly, deleting the object also deletes the corresponding table entry.

access

For each bucket event, MinIO creates a JSON document with the event details and appends it to the table with a PostgreSQL-generated random ID. Additional updates to an object result in new index entries, and existing entries remain unmodified.

This configuration setting corresponds with the MINIO_NOTIFY_POSTGRES_FORMAT environment variable.

notify_postgres max_open_connections

Optional

Specify the maximum number of open connections to the PostgreSQL database.

Defaults to 2.

This configuration setting corresponds with the MINIO_NOTIFY_POSTGRES_MAX_OPEN_CONNECTIONS environment variable.

notify_postgres queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the PostgreSQL server/broker is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_POSTGRES_QUEUE_DIR environment variable.

notify_postgres queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_POSTGRES_QUEUE_LIMIT environment variable.

notify_postgres comment

Optional

Specify a comment to associate with the PostgreSQL configuration.

This configuration setting corresponds with the MINIO_NOTIFY_POSTGRES_COMMENT environment variable.

MySQL Service for Bucket Notifications

The following section documents settings for configuring an MySQL service as a target for Bucket Nofitications. See Publish Events to MySQL for a tutorial on using these environment variables.

notify_mysql

The top-level configuration key for defining an MySQL service endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an MySQL service endpoint. The following arguments are required for each target:

• dsn_string

• table

• format

Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_mysql \
  dsn_string="username:password@tcp(mysql.example.com:3306)/miniodb"
  table="minioevents" \
  format="namespace" \
  [ARGUMENT="VALUE"] ... \

You can specify multiple MySQL service endpoints by appending [:name] to the top level key. For example, the following commands set two distinct MySQL service endpoints as primary and secondary respectively:

mc admin config set notify_mysql:primary \
   dsn_string="username:password@tcp(mysql.example.com:3306)/miniodb"
   table="minioevents" \
   format="namespace" \
   [ARGUMENT=VALUE ...]

mc admin config set notify_mysql:secondary \
   dsn_string="username:password@tcp(mysql.example.com:3306)/miniodb"
   table="minioevents" \
   format="namespace" \
   [ARGUMENT=VALUE ...]

The notify_mysql configuration key supports the following arguments:

notify_mysql dsn_string

Required

Specify the data source name (DSN) connection string for the MySQL service endpoint. MinIO expects the following format:

<user>:<password>@tcp(<host>:<port>)/<database>

For example:

"username:password@tcp(mysql.example.com:3306)/miniodb"

This configuration setting corresponds with the MINIO_NOTIFY_MYSQL_DSN_STRING environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_mysql table

Required

Specify the name of the MySQL table to which MinIO publishes event notifications.

This configuration setting corresponds with the MINIO_NOTIFY_MYSQL_TABLE environment variable.

notify_mysql format

Required

Specify the format of event data written to the MySQL service endpoint. MinIO supports the following values:

namespace

For each bucket event, the MinIO creates a JSON document with the bucket and object name from the event as the document ID and the actual event as part of the document body. Additional updates to that object modify the existing table entry for that object. Similarly, deleting the object also deletes the corresponding table entry.

access

For each bucket event, MinIO creates a JSON document with the event details and appends it to the table with a MySQL-generated random ID. Additional updates to an object result in new index entries, and existing entries remain unmodified.

This configuration setting corresponds with the MINIO_NOTIFY_MYSQL_FORMAT environment variable.

notify_mysql max_open_connections

Optional

Specify the maximum number of open connections to the MySQL database.

Defaults to 2.

This configuration setting corresponds with the MINIO_NOTIFY_MYSQL_MAX_OPEN_CONNECTIONS environment variable.

notify_mysql queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the MySQL server/broker is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_MYSQL_QUEUE_DIR environment variable.

notify_mysql queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_MYSQL_QUEUE_LIMIT environment variable.

notify_mysql comment

Optional

Specify a comment to associate with the MySQL configuration.

This configuration setting corresponds with the MINIO_NOTIFY_MYSQL_COMMENT environment variable.

Kafka Service for Bucket Notifications

The following section documents settings for configuring an Kafka service as a target for Bucket Nofitications. See Publish Events to Kafka for a tutorial on using these environment variables.

notify_kafka

The top-level configuration key for defining an Kafka service endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an Kafka service endpoint. The brokers argument is required for each target. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_kafka \
  brokers="https://kafka1.example.net:9200, https://kafka2.example.net:9200"
  [ARGUMENT="VALUE"] ... \

You can specify multiple Kafka service endpoints by appending [:name] to the top level key. For example, the following commands set two distinct Kafka service endpoints as primary and secondary respectively:

mc admin config set notify_kafka:primary \
   brokers="https://kafka1.example.net:9200, https://kafka2.example.net:9200"
   [ARGUMENT=VALUE ...]

mc admin config set notify_kafka:secondary \
   brokers="https://kafka1.example.net:9200, https://kafka2.example.net:9200"
   [ARGUMENT=VALUE ...]

The notify_kafka configuration key supports the following arguments:

notify_kafka brokers

Required

Specify a comma-separated list of Kafka broker addresses. For example:

"kafka1.example.com:2021,kafka2.example.com:2021"

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_BROKERS environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_kafka topic

Optional

Specify the name of the Kafka topic to which MinIO publishes bucket events.

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_TOPIC environment variable.

notify_kafka sasl

Optional

Specify on to enable SASL authentication.

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_SASL environment variable.

notify_kafka sasl_username

Optional

Specify the username for performing SASL/PLAIN or SASL/SCRAM authentication to the Kafka broker(s).

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_SASL_USERNAME environment variable.

notify_kafka sasl_password

Optional

Specify the password for performing SASL/PLAIN or SASL/SCRAM authentication to the Kafka broker(s).

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_SASL_PASSWORD environment variable.

notify_kafka sasl_mechanism

Optional

Specify the SASL mechanism to use for authenticating to the Kafka broker(s). MinIO supports the following mechanisms:

• PLAIN (Default)

• SHA256

• SHA512

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_SASL_MECHANISM environment variable.

notify_kafka tls_client_auth

Optional

Specify the client authentication type of the Kafka broker(s). The following table lists the supported values and their mappings

Value	Authentication Type
0	NoClientCert
1	RequestClientCert
2	RequireAnyClientCert
3	VerifyClientCertIfGiven
4	RequireAndVerifyClientCert

See ClientAuthType for more information on each client auth type. ..

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_TLS_CLIENT_AUTH environment variable.

notify_kafka tls

Optional

Specify on to enable TLS connectivity to the Kafka broker(s)

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_TLS environment variable.

notify_kafka tls_skip_verify

Optional

Enables or disables TLS verification of the NATS service endpoint TLS certificates.

• Specify on to disable TLS verification (Default).

• Specify off to enable TLS verification.

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_TLS_SKIP_VERIFY environment variable.

notify_kafka client_tls_cert

Optional

Specify the path to the client certificate to use for performing mTLS authentication to the Kafka broker(s).

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_CLIENT_TLS_CERT environment variable.

notify_kafka client_tls_key

Optional

Specify the path to the client private key to use for performing mTLS authentication to the Kafka broker(s).

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_CLIENT_TLS_KEY environment variable.

notify_kafka version

Optional

Specify the version of the Kafka cluster to assume when performing operations against that cluster. See the sarama reference documentation for more information on this field’s behavior.

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_VERSION environment variable.

notify_kafka queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the Kafka server/broker is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_QUEUE_DIR environment variable.

notify_kafka queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_QUEUE_LIMIT environment variable.

notify_kafka comment

Optional

Specify a comment to associate with the Kafka configuration.

This configuration setting corresponds with the MINIO_NOTIFY_KAFKA_COMMENT environment variable.

Webhook Service for Bucket Notifications

The following section documents settings for configuring an Webhook service as a target for Bucket Nofitications. See Publish Events to Webhook for a tutorial on using these environment variables.

notify_webhook

The top-level configuration key for defining an Webhook service endpoint for use with MinIO bucket notifications.

Use mc admin config set to set or update an Webhook service endpoint. The endpoint argument is required for each target. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set notify_webhook \
  endpoint="https://webhook.example.net"
  [ARGUMENT="VALUE"] ... \

You can specify multiple Webhook service endpoints by appending [:name] to the top level key. For example, the following commands set two distinct Webhook service endpoints as primary and secondary respectively:

mc admin config set notify_webhook:primary \
   endpoint="https://webhook1.example.net"
   [ARGUMENT=VALUE ...]

mc admin config set notify_webhook:secondary \
   endpoint="https://webhook2.example.net
   [ARGUMENT=VALUE ...]

The notify_webhook configuration key supports the following arguments:

notify_webhook endpoint

Required

Specify the URL for the webhook service.

This configuration setting corresponds with the MINIO_NOTIFY_WEBHOOK_ENDPOINT environment variable.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

notify_webhook auth_token

Optional

An authentication token of the appropriate type for the endpoint. Omit for endpoints which do not require authentication.

To allow for a variety of token types, MinIO creates the request authentication header using the value exactly as specified. Depending on the endpoint, you may need to include additional information.

For example: for a Bearer token, prepend Bearer:

   mc admin config set myminio notify_webhook   \
      endpoint="https://webhook-1.example.net"  \
      auth_token="Bearer 1a2b3c4f5e"

Modify the value according to the endpoint requirements. A custom authentication format could resemble the following:

   mc admin config set myminio notify_webhook   \
      endpoint="https://webhook-1.example.net"  \
      auth_token="ServiceXYZ 1a2b3c4f5e"

Consult the documenation for the desired service for more details.

Changed in version RELEASE.2023-06-23T20-26-00Z.

MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_NOTIFY_WEBHOOK_AUTH_TOKEN environment variable.

notify_webhook queue_dir

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the webhook service is offline and replays the stored events when connectivity resumes.

This configuration setting corresponds with the MINIO_NOTIFY_WEBHOOK_QUEUE_DIR environment variable.

notify_webhook queue_limit

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This configuration setting corresponds with the MINIO_NOTIFY_WEBHOOK_QUEUE_LIMIT environment variable.

notify_webhook client_cert

Optional

Specify the path to the client certificate to use for performing mTLS authentication to the webhook service.

This configuration setting corresponds with the MINIO_NOTIFY_WEBHOOK_CLIENT_CERT environment variable.

notify_webhook client_key

Optional

Specify the path to the client private key to use for performing mTLS authentication to the webhook service.

This configuration setting corresponds with the MINIO_NOTIFY_WEBHOOK_CLIENT_KEY environment variable.

notify_webhook comment

Optional

Specify a comment to associate with the Webhook configuration.

This configuration setting corresponds with the MINIO_NOTIFY_WEBHOOK_COMMENT environment variable.

Active Directory / LDAP Identity Management

The following section documents settings for enabling external identity management using an Active Directory or LDAP service.

identity_ldap

The top-level key for configuring external identity management using Active Directory or LDAP.

Use the mc admin config set command to set or update the AD/LDAP configuration. The following arguments are required:

• server_addr

• lookup_bind_dn

• lookup_bind_password

• user_dn_search_base_dn

• user_dn_search_filter

mc admin config set identity_ldap \
   enabled="true" \
   server_addr="ad-ldap.example.net/" \
   lookup_bind_dn="cn=miniolookupuser,dc=example,dc=net" \
   lookup_bind_dn_password="userpassword" \
   user_dn_search_base_dn="dc=example,dc=net" \
   user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))"

The identity_ldap configuration key supports the following arguments:

identity_ldap server_addr

Required

Specify the hostname for the Active Directory / LDAP server. For example:

ldapserver.com:636

srv_record_name automatically identifies the port

If your AD/LDAP server uses DNS SRV Records, do not append the port number to your server_addr value. SRV requests automatically include port numbers when returning the list of available servers.

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_SERVER_ADDR environment variable.

identity_ldap lookup_bind_dn

Required

Specify the Distinguished Name (DN) for an AD/LDAP account MinIO uses when querying the AD/LDAP server. Enables Lookup-Bind authentication to the AD/LDAP server.

The DN account should be a read-only access keys with sufficient privileges to support querying performing user and group lookups.

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN environment variable.

identity_ldap lookup_bind_password

Required

Specify the password for the Lookup-Bind user account.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD environment variable.

identity_ldap user_dn_search_base_dn

Required

Specify the base Distinguished Name (DN) MinIO uses when querying for user credentials matching those provided by an authenticating client. For example:

cn=miniousers,dc=myldapserver,dc=net

Supports Lookup-Bind mode.

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN environment variable.

identity_ldap user_dn_search_filter

Required

Specify the AD/LDAP search filter MinIO uses when querying for user credentials matching those provided by an authenticating client.

Use the %s substitution character to insert the client-specified username into the search string. For example:

(userPrincipalName=%s)

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER environment variable.

identity_ldap enabled

Optional

Set to false to disable the AD/LDAP configuration.

If false, applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider.

Defaults to true or “enabled”.

identity_ldap group_search_filter

Optional

Specify an AD/LDAP search filter for performing group lookups for the authenticated user

Use the %s substitution character to insert the client-specified username into the search string. Use the %d substitution character to insert the Distinguished Name of the client-specified username into the search string.

For example:

(&(objectclass=groupOfNames)(memberUid=%s))

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER environment variable.

identity_ldap group_search_base_dn

Optional

Specify a comma-separated list of group search base Distinguished Names MinIO uses when performing group lookups.

For example:

cn=miniogroups,dc=myldapserver,dc=net"

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN environment variable.

identity_ldap tls_skip_verify

Optional

Specify on to trust the AD/LDAP server TLS certificates without verification. This option may be required if the AD/LDAP server TLS certificates are signed by an untrusted Certificate Authority (e.g. self-signed).

Defaults to off

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY environment variable.

identity_ldap server_insecure

Optional

Specify on to allow unsecured (non-TLS encrypted) connections to the AD/LDAP server.

MinIO sends AD/LDAP user credentials in plain text to the AD/LDAP server, such that enabling TLS is required to prevent reading credentials over the wire. Using this option presents a security risk where any user with access to network traffic can observe the unencrypted plaintext credentials.

Defaults to off.

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_SERVER_INSECURE environment variable.

identity_ldap server_starttls

Optional

Specify on to enable StartTLS connections to AD/LDAP server.

Defaults to off

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_SERVER_STARTTLS environment variable.

identity_ldap srv_record_name

New in version RELEASE.2022-12-12T19-27-27Z.

Optional

Specify the appropriate value to enable MinIO to select an AD/LDAP server using a DNS SRV record request.

When enabled, MinIO selects an AD/LDAP server by:

• Constructing the target SRV record name following standard naming conventions.

• Requesting a list of available AD/LDAP servers.

• Choosing an appropriate target based on priority and weight.

The configuration examples below presume the AD/LDAP server address is set to example.com and the SRV record protocol is _tcp.

For SRV record names beginning with _ldap, specify ldap. The constructed DNS SRV record name resembles the following:

_ldap._tcp.example.com

For SRV record names with beginning with _ldaps, specify ldaps. The constructed DNS SRV record name resembles the following:

_ldaps._tcp.example.com

If your DNS SRV record name uses alternate service or protocol names, specify on and provide the full record name as your LDAP server address. Example: _ldapserver._specialtcp.example.com

For more about DNS SRV records, see DNS SRV Records for LDAP.

Server address for DNS SRV record configurations

The specified server name must not include a port number. This is different from a standard AD/LDAP configuration, where the port number is required.

See server_addr or MINIO_IDENTITY_LDAP_SERVER_ADDR for more about configuring an AD/LDAP server address.

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_SRV_RECORD_NAME environment variable.

identity_ldap comment

Optional

Specify a comment to associate to the AD/LDAP configuration.

This configuration setting corresponds with the MINIO_IDENTITY_LDAP_COMMENT environment variable.

OpenID Identity Management

The following section documents settings for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. See OpenID Connect Access Management for a tutorial on using these configuration settings.

identity_openid

The top-level configuration key for configuring external identity management using OpenID.

Use mc admin config set to set or update the OpenID configuration. The config_url argument is required. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set identity_openid \
  config_url="https://openid-provider.example.net/.well-known/openid-configuration"
  [ARGUMENT="VALUE"] ... \

The identity_openid configuration key supports the following arguments:

identity_openid config_url

Required

Specify the URL for the OIDC compatible provider discovery document.

The OIDC Discovery URL typically resembles the following:

https://openid-provider.example.net/.well-known/openid-configuration

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_CONFIG_URL environment variable.

identity_openid enabled

Optional

Set to false to disable the OpenID configuration.

Applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider if set to false.

Defaults to true or “enabled”.

identity_openid client_id

Optional

Specify the unique public identifier MinIO uses when authenticating user credentials against the OIDC compatible provider.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_CLIENT_ID environment variable.

identity_openid client_secret

Optional

Specify the client secret MinIO uses when authenticating user credentials against the OIDC compatible provider. This field may be optional depending on the provider.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_CLIENT_SECRET environment variable.

identity_openid role_policy

Optional

Specify a comma-separated list of policy names to use for the request’s RoleARN for all authentication requests for the provider. The specified policy or policies must already exist on the MinIO Server.

To use this OIDC configuration, you must specify the corresponding RoleARN in the STS request body.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_ROLE_POLICY environment variable. This setting is mutually exclusive with the identity_openid claim_name configuration setting.

identity_openid claim_name

Optional

Specify the name of the JWT Claim MinIO uses to identify the policies to attach to the authenticated user.

The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.

Defaults to policy.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_CLAIM_NAME environment variable. This setting is mutually exclusive with the identity_openid role_policy configuration setting.

identity_openid claim_prefix

Optional

Specify the JWT Claim namespace prefix to apply to the specified claim name.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_CLAIM_PREFIX environment variable.

identity_openid display_name

Optional

Specify the user-facing name the MinIO Console displays on the login screen.

identity_openid scopes

Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_SCOPES environment variable.

identity_openid redirect_uri

Optional

Important

This parameter was removed in https://github.com/minio/minio/releases/tag/RELEASE.2023-02-27T18-10-45Z. Use the MINIO_BROWSER_REDIRECT_URL environment variable instead.

The MinIO Console defaults to using the hostname of the node making the authentication request. For MinIO deployments behind a load balancer or reverse proxy, specify this field to ensure the OIDC provider returns the authentication response to the correct MinIO Console URL. Include the Console hostname, port, and /oauth_callback:

http://minio.example.net:consoleport/oauth_callback

Ensure you start the MinIO Server with the --console-address option to set a static Console listen port. The default behavior with that option omitted is to select a random port number at startup.

The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_REDIRECT_URI environment variable.

identity_openid redirect_uri_dynamic

Optional

The MinIO Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For MinIO deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different MinIO Node than the originating client.

Specify this option as on to direct the MinIO Console to use the Host header of the originating request to construct the redirect URI passed to the OIDC provider. Defaults to off.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC environment variable.

identity_openid claim_userinfo

Optional

Specify the OpenID User info API endpoint for the OIDC service. For example, https://oidc-endpoint:port/realms/REALM/protocol/openid-connect/userinfo

Some OIDC providers do not provide group information as part of the JWT response after authentication. Specify this URL to direct MinIO to make an additional API call to construct the complete JWT token.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_CLAIM_USERINFO environment variable.

identity_openid vendor

Optional

Specify the OIDC Vendor to enable specific supported behaviors for that vendor.

Supports the following value:

• keycloak

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_VENDOR environment variable.

identity_openid keycloak_realm

Optional

Specify the Keycloak Realm to use as part of Keycloak Admin API Operations, such as main.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_KEYCLOAK_REALM environment variable.

Requires identity_openid.vendor set to keycloak.

identity_openid keycloak_admin_url

Optional

Specify the Keycloak Admin API URL. MinIO can use this URL if configured to periodically validate authenticated Keycloak users as active/existing. For example, https://keycloak-endpoint:port/admin/.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL environment variable.

Requires identity_openid.vendor set to keycloak.

identity_openid comment

Specify a comment to associate with the OIDC compatible provider configuration.

This configuration setting corresponds with the MINIO_IDENTITY_OPENID_COMMENT environment variable.

Identity Management Plugin

The following section documents settings for enabling external identity management using the MinIO Identity Management Plugin. See MinIO External Identity Management Plugin for a tutorial on using these configuration settings.

identity_plugin

The top-level configuration key for enabling MinIO External Identity Management Plugin.

Use mc admin config set to set or update the configuration. The url and role_policy arguments are required. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set identity_plugin \
  url="https://external-auth.example.net:8080/auth" \
  role_policy="consoleAdmin" \
  [ARGUMENT=VALUE] ... \

The identity_plugin configuration key supports the following arguments:

identity_plugin url

Required

The webhook endpoint for the external identity management service (https://authservice.example.net:8080/auth).

identity_plugin role_policy

Required

Specify a comma separated list of MinIO policies to assign to authenticated users.

identity_plugin enabled

Optional

Set to false to disable the identity provider configuration.

Applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider if set to false.

Defaults to true or “enabled”.

identity_plugin token

Optional

An authentication token to present to the configured webhook endpoint.

Specify a supported HTTP Authentication scheme as a string value, such as "Bearer TOKEN". MinIO sends the token using the HTTP Authorization header.

identity_plugin role_id

Optional

Specify a unique ID MinIO uses to generate an ARN for this identity manager.

If omitted, MinIO automatically generates the ID and prints the full ARN to the server log.

identity_plugin comment

Optional

Specify a comment to associate to the identity configuration.

Data Compression

The following section documents settings for enabling data compression for objects. See Data Compression for tutorials on using these configuration settings.

compression

The top-level configuration key for enabling Data Compression.

Use mc admin config set to set or update the configuration. Specify optional arguments as a whitespace (" ")-delimited list.

mc admin config set compression           \
                    [ARGUMENT=VALUE] ...  \

Enabling data compression compresses the following types of data by default:

File Extensions	Media (MIME) Types
.txt .log .csv .json .tar .xml .bin	text/* application/json application/xml binary/octet-stream

The compression configuration key supports the following arguments:

compression allow_encryption

Optional

Set to on to encrypt objects after compressing them. Defaults to off.

Encrypting compressed objects may compromise security

MinIO strongly recommends against encrypting compressed objects. If you require encryption, carefully evaluate the risk of potentially leaking information about the contents of encrypted objects.

This configuration setting corresponds with the MINIO_COMPRESSION_ALLOW_ENCRYPTION environment variable.

compression comment

Optional

Specify a comment to associate with the data compression configuration.

compression enable

Optional

Set to on to enable data compression for new objects. Defaults to off.

Enabling or disabling data compression does not change existing objects.

This configuration setting corresponds with the MINIO_COMPRESSION_ENABLE environment variable.

compression extensions

Optional

Comma-separated list of the file extensions to compress. Setting a new list of file extensions replaces the previously configured list. Defaults to ".txt, .log, .csv, .json, .tar, .xml, .bin".

Default excluded files

Some types of files cannot be significantly reduced in size. MinIO will not compress these, even if specified in an extensions argument. See Excluded types for details.

This configuration setting corresponds with the MINIO_COMPRESSION_EXTENSIONS environment variable.

compression mime_types

Optional

Comma-separated list of the MIME types to compress. Setting a new list of types replaces the previously configured list. Defaults to "text/*, application/json, application/xml, binary/octet-stream".

Default excluded files

Some types of files cannot be significantly reduced in size. MinIO will not compress these, even if specified in an mime_types argument. See Excluded types for details.

This configuration setting corresponds with the MINIO_COMPRESSION_MIME_TYPES environment variable.