mc admin policy
Table of Contents
Description
The mc admin policy
command manages policies for use with MinIO
Policy-Based Access Control (PBAC). MinIO PBAC uses IAM-compatible policy JSON
documents to define rules for accessing resources on a MinIO server.
For complete documentation on MinIO PBAC, including policy document JSON structure and syntax, see Access Management.
Examples
Create a Policy
The following example uses the default myminio
alias. The myminio
alias points to a local minio
server running on port 9000
. See
<installation instructions> for more information on installing and running
a local minio
server instance.
See mc alias
for more information on aliases.
Consider the following JSON policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
The following mc admin policy add
command creates a new policy
listbucketsonly
on the myminio
MinIO deployment using the
example JSON policy document:
mc admin policy add myminio listbucketsonly /path/to/listbucketsonly.json
You can associate the new listbucketsonly
policy to users or groups on the
myminio
deployment using the mc admin policy set
command.
List Available Policies
The following example uses the default myminio
alias. The myminio
alias points to a local minio
server running on port 9000
. See
<installation instructions> for more information on installing and running
a local minio
server instance.
See mc alias
for more information on aliases.
The following mc admin policy list
command lists the available
policies on the myminio
MinIO deployment:
mc admin policy list myminio
The command returns output that resembles the following:
readwrite
writeonly
To retrieve information on a specific policy, use the
mc admin policy info
command:
mc admin policy info myminio writeonly
The command returns output that resembles the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Remove a Policy
The following example uses the default myminio
alias. The myminio
alias points to a local minio
server running on port 9000
. See
<installation instructions> for more information on installing and running
a local minio
server instance.
See mc alias
for more information on aliases.
The following mc admin policy remove
command removes a policy
on the myminio
MinIO deployment:
mc admin policy remove myminio listbucketsonly
Apply a Policy to a User or Group
The following example uses the default myminio
alias. The myminio
alias points to a local minio
server running on port 9000
. See
<installation instructions> for more information on installing and running
a local minio
server instance.
See mc alias
for more information on aliases.
Use the
mc admin user list
command to return a list of users on the target MinIO deployment.Use the
mc admin group list
command to return a list of users on the target MinIO deployment.
The following mc admin policy set
command associates the
listbucketsonly
policy to a user on the myminio
MinIO deployment.
Replace the <USER>
with the name of a user that exists on the deployment.
mc admin policy set --myminio listbucketsonly user=<USER>
The following mc admin policy set
command associates the
listbucketsonly
policy to a group on the myminio
MinIO deployment.
Replace the <GROUP>
with the name of a user that exists on the deployment.
mc admin policy set --myminio listbucketsonly group=<GROUP>
Syntax
- mc admin policy add
Creates a new policy on the target MinIO deployment. The command has the following syntax:
mc admin policy add TARGET POLICYNAME POLICYPATH
The
mc admin policy add
command accepts the following arguments:- TARGET
The
alias
of a configured MinIO deployment on which to add the new policy.
- POLICYNAME
The name of the policy to add.
Specifying the name of an existing policy overwrites that policy on the
TARGET
MinIO deployment.
- POLICYPATH
The file path to the policy to add. The file must be a JSON-formatted file with IAM-compatible syntax.
- mc admin policy list
Lists all policies on the target MinIO deployment. The command has the following syntax:
mc admin policy list TARGET
For example, the following command lists all policies on the
myminio
MinIO deployment:mc admin policy list play
The
mc admin policy list
command accepts the following arguments:- TARGET
The
alias
of a configured MinIO deployment from which the command lists the available policies.
- mc admin policy info
Returns the specified policy in JSON format if it exists on the target MinIO deployment. The command has the following syntax:
mc admin policy info TARGET POLICYNAME
mc admin policy info
accepts the following arguments:- TARGET
The
alias
of a configured MinIO deployment from which the command returns information on the specified policy.
- mc admin policy set
Applies an existing policy to a user or group on the target MinIO deployment.
mc admin policy set
overwrites the existing policy associated to the user or group.The command has the following syntax:
mc admin policy set TARGET POLICYNAME[,POLICYNAME,...] [ user=USERNAME | group=GROUPNAME ]
The command accepts the following arguments:
- TARGET
The
alias
of a configured MinIO deployment on which the command associates thePOLICYNAME
to the--user
or--group
.
- POLICYNAME
The name of the policy which the command associates to the specified
--user
or--group
. Specify multiple policies as a comma-separated list.MinIO deployments include the following built-in policies policies by default:
- --user
The name of the user to which the command associates the
POLICYNAME
.Mutually exclusive with
--group
- --group
The name of the group to which the command associates the
POLICYNAME
. All users with membership in the group inherit the policies associated to the group.Mutually exclusive with
--user
- mc admin policy remove
This command removes an existing policy from the target MinIO deployment. The command has the following syntax:
mc admin policy remove TARGET POLICYNAME
The command accepts the following arguments:
- TARGET
The
alias
of a configured MinIO deployment on which the command removes thePOLICYNAME
.
- POLICYNAME
The name of the policy which the command removes from the
TARGET
deployment.