MinIO Identity Management

MinIO includes a built-in IDentity Provider (IDP) that provides core identity management functionality. The MinIO IDP supports creating an arbitrary number of long-lived users on the deployment for supporting client authentication.

Each user consists of a unique access key (username) and corresponding secret key (password). Clients must authenticate their identity by specifying both a valid access key (username) and the corresponding secret key (password) of an existing MinIO user.

Administrators use the mc admin user command to create and manage MinIO users. The MinIO Console provides a graphical interface for creating users.

MinIO also supports creating access keys. Access Keys are child identities of an authenticated parent user and inherit their permissions from the parent.

MinIO by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. You must either explicitly assign a policy describing the user’s authorized actions and resources or assign the user to groups which have associated policies. See Access Management for more information.

External Identity Management

MinIO supports external management of identities using either an OpenID Connect (OIDC) or Active Directory/LDAP IDentity Provider (IDP). For more information, see:

AD/LDAP and OIDC configurations are mutually exclusive. Furthermore, enabling AD/LDAP external identity management disables the MinIO internal IDP, with the exception of creating access keys. You can configure multiple OIDC providers while maintaining MinIO-managed users.