diff --git a/manifests/minio-bitnami/README.md b/manifests/minio-bitnami/README.md new file mode 100644 index 0000000..2837c92 --- /dev/null +++ b/manifests/minio-bitnami/README.md @@ -0,0 +1,199 @@ +# MinIO Bitnami Configuration + +This directory contains configuration and policies for MinIO deployed using the Bitnami Helm chart. + +## Files + +- `values.yaml` - Helm chart values for MinIO deployment +- `monitoring.yaml` - Monitoring configuration +- `minio-admins.json` - Full admin access policy +- `minio-users.json` - Standard user access policy + +## Creating New Policies + +MinIO uses IAM-style policies (similar to AWS S3) to control access to buckets and objects. + +### 1. Create Policy JSON File + +Create a new JSON file with your policy definition: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::my-bucket/*", + "arn:aws:s3:::my-bucket" + ] + } + ] +} +``` + +**Common Actions**: +- `s3:*` - All actions (full access) +- `s3:GetObject` - Read objects +- `s3:PutObject` - Write/upload objects +- `s3:DeleteObject` - Delete objects +- `s3:ListBucket` - List bucket contents +- `s3:GetBucketLocation` - Get bucket location +- `s3:ListAllMyBuckets` - List all buckets + +**Resource Patterns**: +- `arn:aws:s3:::*` - All buckets and objects +- `arn:aws:s3:::my-bucket` - Specific bucket +- `arn:aws:s3:::my-bucket/*` - All objects in a bucket +- `arn:aws:s3:::my-bucket/prefix/*` - Objects with prefix + +### 2. Apply Policy Using MinIO Client (mc) + +```bash +# Configure mc alias (one-time setup) +mc alias set myminio https://minio.example.com ACCESS_KEY SECRET_KEY + +# Create the policy +mc admin policy create myminio policy-name path/to/policy.json + +# List all policies +mc admin policy list myminio + +# View policy details +mc admin policy info myminio policy-name + +# Remove a policy +mc admin policy remove myminio policy-name +``` + +### 3. Assign Policy to Users or Groups + +```bash +# Assign policy to a user +mc admin policy attach myminio policy-name --user username + +# Assign policy to a group +mc admin policy attach myminio policy-name --group groupname + +# List user policies +mc admin user info myminio username +``` + +## Example Policies + +### Read-Only Access to Specific Bucket + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::my-bucket", + "arn:aws:s3:::my-bucket/*" + ] + } + ] +} +``` + +### Read-Write Access to Specific Prefix + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ], + "Resource": [ + "arn:aws:s3:::my-bucket/uploads/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::my-bucket" + ], + "Condition": { + "StringLike": { + "s3:prefix": ["uploads/*"] + } + } + } + ] +} +``` + +### Multiple Buckets with Different Permissions + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::public-bucket", + "arn:aws:s3:::public-bucket/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::private-bucket", + "arn:aws:s3:::private-bucket/*" + ] + } + ] +} +``` + +## Tips + +- Always test policies with a test user before applying to production +- Use `mc admin policy info` to verify policy is correctly formatted +- Policies are applied immediately - no restart required +- Users can have multiple policies attached +- More specific policies take precedence over general ones +- Use groups to manage policies for multiple users efficiently + +## Troubleshooting + +**Policy not taking effect:** +- Verify user/group has policy attached: `mc admin user info myminio username` +- Check MinIO server logs for policy evaluation errors +- Ensure bucket/prefix names match exactly (case-sensitive) + +**Access denied errors:** +- Verify resource ARN matches the bucket/object pattern +- Check if actions include the operation being performed +- Ensure both bucket-level and object-level permissions are set + +## References + +- [MinIO IAM Documentation](https://min.io/docs/minio/linux/administration/identity-access-management.html) +- [AWS S3 IAM Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html) diff --git a/manifests/minio-bitnami/minio-admins.json b/manifests/minio-bitnami/minio-admins.json new file mode 100644 index 0000000..2a6f7c4 --- /dev/null +++ b/manifests/minio-bitnami/minio-admins.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "s3:*" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::*" + ] + } + ] +} diff --git a/manifests/minio-bitnami/minio-users.json b/manifests/minio-bitnami/minio-users.json new file mode 100644 index 0000000..72a4739 --- /dev/null +++ b/manifests/minio-bitnami/minio-users.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "s3:GetBucketLocation", + "s3:ListBucket" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::*" + ] + }, + { + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::*/*" + ] + } + ] +}