# MinIO Bitnami Configuration This directory contains configuration and policies for MinIO deployed using the Bitnami Helm chart. ## Files - `values.yaml` - Helm chart values for MinIO deployment - `monitoring.yaml` - Monitoring configuration - `minio-admins.json` - Full admin access policy - `minio-users.json` - Standard user access policy ## Creating New Policies MinIO uses IAM-style policies (similar to AWS S3) to control access to buckets and objects. ### 1. Create Policy JSON File Create a new JSON file with your policy definition: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-bucket/*", "arn:aws:s3:::my-bucket" ] } ] } ``` **Common Actions**: - `s3:*` - All actions (full access) - `s3:GetObject` - Read objects - `s3:PutObject` - Write/upload objects - `s3:DeleteObject` - Delete objects - `s3:ListBucket` - List bucket contents - `s3:GetBucketLocation` - Get bucket location - `s3:ListAllMyBuckets` - List all buckets **Resource Patterns**: - `arn:aws:s3:::*` - All buckets and objects - `arn:aws:s3:::my-bucket` - Specific bucket - `arn:aws:s3:::my-bucket/*` - All objects in a bucket - `arn:aws:s3:::my-bucket/prefix/*` - Objects with prefix ### 2. Apply Policy Using MinIO Client (mc) ```bash # Configure mc alias (one-time setup) mc alias set myminio https://minio.example.com ACCESS_KEY SECRET_KEY # Create the policy mc admin policy create myminio policy-name path/to/policy.json # List all policies mc admin policy list myminio # View policy details mc admin policy info myminio policy-name # Remove a policy mc admin policy remove myminio policy-name ``` ### 3. Assign Policy to Users or Groups ```bash # Assign policy to a user mc admin policy attach myminio policy-name --user username # Assign policy to a group mc admin policy attach myminio policy-name --group groupname # List user policies mc admin user info myminio username ``` ## Example Policies ### Read-Only Access to Specific Bucket ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } ] } ``` ### Read-Write Access to Specific Prefix ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::my-bucket/uploads/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-bucket" ], "Condition": { "StringLike": { "s3:prefix": ["uploads/*"] } } } ] } ``` ### Multiple Buckets with Different Permissions ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::public-bucket", "arn:aws:s3:::public-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::private-bucket", "arn:aws:s3:::private-bucket/*" ] } ] } ``` ## Tips - Always test policies with a test user before applying to production - Use `mc admin policy info` to verify policy is correctly formatted - Policies are applied immediately - no restart required - Users can have multiple policies attached - More specific policies take precedence over general ones - Use groups to manage policies for multiple users efficiently ## Troubleshooting **Policy not taking effect:** - Verify user/group has policy attached: `mc admin user info myminio username` - Check MinIO server logs for policy evaluation errors - Ensure bucket/prefix names match exactly (case-sensitive) **Access denied errors:** - Verify resource ARN matches the bucket/object pattern - Check if actions include the operation being performed - Ensure both bucket-level and object-level permissions are set ## References - [MinIO IAM Documentation](https://min.io/docs/minio/linux/administration/identity-access-management.html) - [AWS S3 IAM Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html)