Add README.md to minio and json policies

2026-03-15 10:52:49 +02:00 · 2026-03-15 10:52:49 +02:00 · 08bb832edd
commit 08bb832edd
parent 6c49bb5be2
3 changed files with 237 additions and 0 deletions
--- a/manifests/minio-bitnami/README.md
+++ b/manifests/minio-bitnami/README.md
@ -0,0 +1,199 @@
+# MinIO Bitnami Configuration
+
+This directory contains configuration and policies for MinIO deployed using the Bitnami Helm chart.
+
+## Files
+
+- `values.yaml` - Helm chart values for MinIO deployment
+- `monitoring.yaml` - Monitoring configuration
+- `minio-admins.json` - Full admin access policy
+- `minio-users.json` - Standard user access policy
+
+## Creating New Policies
+
+MinIO uses IAM-style policies (similar to AWS S3) to control access to buckets and objects.
+
+### 1. Create Policy JSON File
+
+Create a new JSON file with your policy definition:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::my-bucket/*",
+        "arn:aws:s3:::my-bucket"
+      ]
+    }
+  ]
+}
+```
+
+**Common Actions**:
+- `s3:*` - All actions (full access)
+- `s3:GetObject` - Read objects
+- `s3:PutObject` - Write/upload objects
+- `s3:DeleteObject` - Delete objects
+- `s3:ListBucket` - List bucket contents
+- `s3:GetBucketLocation` - Get bucket location
+- `s3:ListAllMyBuckets` - List all buckets
+
+**Resource Patterns**:
+- `arn:aws:s3:::*` - All buckets and objects
+- `arn:aws:s3:::my-bucket` - Specific bucket
+- `arn:aws:s3:::my-bucket/*` - All objects in a bucket
+- `arn:aws:s3:::my-bucket/prefix/*` - Objects with prefix
+
+### 2. Apply Policy Using MinIO Client (mc)
+
+```bash
+# Configure mc alias (one-time setup)
+mc alias set myminio https://minio.example.com ACCESS_KEY SECRET_KEY
+
+# Create the policy
+mc admin policy create myminio policy-name path/to/policy.json
+
+# List all policies
+mc admin policy list myminio
+
+# View policy details
+mc admin policy info myminio policy-name
+
+# Remove a policy
+mc admin policy remove myminio policy-name
+```
+
+### 3. Assign Policy to Users or Groups
+
+```bash
+# Assign policy to a user
+mc admin policy attach myminio policy-name --user username
+
+# Assign policy to a group
+mc admin policy attach myminio policy-name --group groupname
+
+# List user policies
+mc admin user info myminio username
+```
+
+## Example Policies
+
+### Read-Only Access to Specific Bucket
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::my-bucket",
+        "arn:aws:s3:::my-bucket/*"
+      ]
+    }
+  ]
+}
+```
+
+### Read-Write Access to Specific Prefix
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:DeleteObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::my-bucket/uploads/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::my-bucket"
+      ],
+      "Condition": {
+        "StringLike": {
+          "s3:prefix": ["uploads/*"]
+        }
+      }
+    }
+  ]
+}
+```
+
+### Multiple Buckets with Different Permissions
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::public-bucket",
+        "arn:aws:s3:::public-bucket/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::private-bucket",
+        "arn:aws:s3:::private-bucket/*"
+      ]
+    }
+  ]
+}
+```
+
+## Tips
+
+- Always test policies with a test user before applying to production
+- Use `mc admin policy info` to verify policy is correctly formatted
+- Policies are applied immediately - no restart required
+- Users can have multiple policies attached
+- More specific policies take precedence over general ones
+- Use groups to manage policies for multiple users efficiently
+
+## Troubleshooting
+
+**Policy not taking effect:**
+- Verify user/group has policy attached: `mc admin user info myminio username`
+- Check MinIO server logs for policy evaluation errors
+- Ensure bucket/prefix names match exactly (case-sensitive)
+
+**Access denied errors:**
+- Verify resource ARN matches the bucket/object pattern
+- Check if actions include the operation being performed
+- Ensure both bucket-level and object-level permissions are set
+
+## References
+
+- [MinIO IAM Documentation](https://min.io/docs/minio/linux/administration/identity-access-management.html)
+- [AWS S3 IAM Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html)
--- a/manifests/minio-bitnami/minio-admins.json
+++ b/manifests/minio-bitnami/minio-admins.json
@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:*"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::*"
+      ]
+    }
+  ]
+}
--- a/manifests/minio-bitnami/minio-users.json
+++ b/manifests/minio-bitnami/minio-users.json
@ -0,0 +1,24 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetBucketLocation",
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::*"
+      ]
+    },
+    {
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::*/*"
+      ]
+    }
+  ]
+}