Documentation

Documentation

mc admin user svcacct

Table of Contents

Description

The mc admin user svcacct command creates and manages Access Keys on a MinIO deployment.

Each access keys is linked to a user identity and inherits the policies attached to it’s parent user or those groups in which the parent user has membership. Each access key also supports an optional inline policy which further restricts access to a subset of actions and resources available to the parent user.

mc admin user svcacct only supports creating access keys for MinIO-managed and Active Directory/LDAP-managed accounts.

To create access keys for OpenID Connect-managed users, log into the MinIO Console and generate the access keys through the UI.

Use mc admin on MinIO Deployments Only

MinIO does not support using mc admin commands with other S3-compatible services, regardless of their claimed compatibility with MinIO deployments.

The mc admin user svcacct command has the following subcommands:

Subcommand

Description

mc admin user svcacct add

Adds a new access keys to an existing MinIO or AD/LDAP user

mc admin user svcacct list

Lists the existing access keys associated to a MinIO or AD/LDAP user.

mc admin user svcacct remove

Removes a access keys from a MinIO or AD/LDAP user.

mc admin user svcacct info

Returns detailed information on a access keys.

mc admin user svcacct edit

Modifies the secret key or inline policy associated with a access keys.

mc admin user svcacct enable

Enables a access keys.

mc admin user svcacct disable

Disables a access keys.

Syntax

mc admin user svcacct add

Adds a new access keys associated to the specified user.

The following command creates a new access keys associated to an existing MinIO user:

mc admin user svcacct add                       \
   --access-key "myuserserviceaccount"          \
   --secret-key "myuserserviceaccountpassword"  \
   --policy "/path/to/policy.json"              \
   myminio myuser

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct add     \
                            [--access-key]  \
                            [--secret-key]  \
                            [--policy]      \
                            [--commment]    \
                            ALIAS           \
                            USER
ALIAS
Required

The alias of the MinIO deployment.

USER
Required

The name of the user to which MinIO adds the new access keys.

--access-key
Optional

The access key to associate with the new access keys. Omit to direct MinIO to autogenerate the access key for the new access keys.

Access Key names must be unique across all users.

--secret-key
Optional

The secret key to associate with the new access keys. Omit to direct MinIO to autogenerate the secret key for the new access keys.

--policy
Optional

The path to a policy document to attach to the new access keys. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user’s policies.

--comment
Optional

New in version RELEASE.2023-01-28T20-29-38Z.

Add a note to the service account. For example, you might specify the reason the service account exists.

mc admin user svcacct list, ls

Lists all access keys associated to the specified user.

The following command lists all access keys associated to an existing MinIO user:

mc admin user svcacct list myminio myuser

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct list  \
                            ALIAS         \
                            USER
ALIAS
Required

The alias of the MinIO deployment.

USER
Required

The name of the user to which MinIO adds the new access keys.

mc admin user svcacct remove, rm

Removes a access keys associated to the specified user. Applications can no longer authenticate using that access keys after removal.

The following command removes the specified access keys:

mc admin user svcacct remove myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct remove   \
                            ALIAS            \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the access keys to remove.

mc admin user svcacct info

Returns a description of a access keys associated to the specified user. The description includes the parent user of the specified access keys, its status, and whether the access keys has an assigned inline policy.

The following command returns detailed information on the specified access keys:

mc admin user svcacct info --policy myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct info    \
                            [--policy]      \
                            ALIAS           \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the access keys to remove.

--policy
Optional

Returns the policy attached to the access keys in JSON format. The output is null if the access keys has no attached policy.

mc admin user svcacct edit, set

Modifies the configuration of a access keys associated to the specified user.

The following command modifies the specified access keys:

mc admin user svcacct edit                                             \
                      --secret-key "myuserserviceaccountnewsecretkey"  \
                      --policy "/path/to/new/policy.json"              \
                      myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct edit    \
                            [--secret-key]  \
                            [--policy]      \
                            ALIAS           \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the access keys to modify.

--secret-key
Optional

The secret key to associate with the new access keys. Overwrites the previous secret key. Applications using the access keys must update to use the new credentials to continue performing operations.

--policy
Optional

The path to a policy document to attach to the new access keys. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user’s policies.

The new policy overwrites any previously attached policy.

mc admin user svcacct enable

Enables a access keys for the specified user. Applications can only authenticate using enabled access keys.

The following command enables the specified access keys:

mc admin user svcacct enable myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct enable  \
                            ALIAS           \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the access keys to enable.

mc admin user svcacct disable

Disables a access keys for the specified user. Applications can only authenticate using enabled access keys.

The following command disables the specified access keys:

mc admin user svcacct disable myminio myuserserviceaccount

The command has the following syntax:

mc [GLOBALFLAGS] admin user svcacct disable  \
                            ALIAS            \
                            SERVICEACCOUNT
ALIAS
Required

The alias of the MinIO deployment.

SERVICEACCOUNT
Required

The access key for the access keys to disable.

Global Flags

This command supports any of the global flags.