infra/manifests/minio-bitnami/README.md

# MinIO Bitnami Configuration

This directory contains configuration and policies for MinIO deployed using the Bitnami Helm chart.

## Files

- `values.yaml` - Helm chart values for MinIO deployment
- `monitoring.yaml` - Monitoring configuration
- `minio-admins.json` - Full admin access policy
- `minio-users.json` - Standard user access policy

## Creating New Policies

MinIO uses IAM-style policies (similar to AWS S3) to control access to buckets and objects.

### 1. Create Policy JSON File

Create a new JSON file with your policy definition:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket/*",
        "arn:aws:s3:::my-bucket"
      ]
    }
  ]
}
```

**Common Actions**:
- `s3:*` - All actions (full access)
- `s3:GetObject` - Read objects
- `s3:PutObject` - Write/upload objects
- `s3:DeleteObject` - Delete objects
- `s3:ListBucket` - List bucket contents
- `s3:GetBucketLocation` - Get bucket location
- `s3:ListAllMyBuckets` - List all buckets

**Resource Patterns**:
- `arn:aws:s3:::*` - All buckets and objects
- `arn:aws:s3:::my-bucket` - Specific bucket
- `arn:aws:s3:::my-bucket/*` - All objects in a bucket
- `arn:aws:s3:::my-bucket/prefix/*` - Objects with prefix

### 2. Apply Policy Using MinIO Client (mc)

```bash
# Configure mc alias (one-time setup)
mc alias set myminio https://minio.example.com ACCESS_KEY SECRET_KEY

# Create the policy
mc admin policy create myminio policy-name path/to/policy.json

# List all policies
mc admin policy list myminio

# View policy details
mc admin policy info myminio policy-name

# Remove a policy
mc admin policy remove myminio policy-name
```

### 3. Assign Policy to Users or Groups

```bash
# Assign policy to a user
mc admin policy attach myminio policy-name --user username

# Assign policy to a group
mc admin policy attach myminio policy-name --group groupname

# List user policies
mc admin user info myminio username
```

## Example Policies

### Read-Only Access to Specific Bucket

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}
```

### Read-Write Access to Specific Prefix

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket/uploads/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": ["uploads/*"]
        }
      }
    }
  ]
}
```

### Multiple Buckets with Different Permissions

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::public-bucket",
        "arn:aws:s3:::public-bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::private-bucket",
        "arn:aws:s3:::private-bucket/*"
      ]
    }
  ]
}
```

## Tips

- Always test policies with a test user before applying to production
- Use `mc admin policy info` to verify policy is correctly formatted
- Policies are applied immediately - no restart required
- Users can have multiple policies attached
- More specific policies take precedence over general ones
- Use groups to manage policies for multiple users efficiently

## Troubleshooting

**Policy not taking effect:**
- Verify user/group has policy attached: `mc admin user info myminio username`
- Check MinIO server logs for policy evaluation errors
- Ensure bucket/prefix names match exactly (case-sensitive)

**Access denied errors:**
- Verify resource ARN matches the bucket/object pattern
- Check if actions include the operation being performed
- Ensure both bucket-level and object-level permissions are set

## References

- [MinIO IAM Documentation](https://min.io/docs/minio/linux/administration/identity-access-management.html)
- [AWS S3 IAM Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html)