4.4 KiB
4.4 KiB
MinIO Bitnami Configuration
This directory contains configuration and policies for MinIO deployed using the Bitnami Helm chart.
Files
values.yaml- Helm chart values for MinIO deploymentmonitoring.yaml- Monitoring configurationminio-admins.json- Full admin access policyminio-users.json- Standard user access policy
Creating New Policies
MinIO uses IAM-style policies (similar to AWS S3) to control access to buckets and objects.
1. Create Policy JSON File
Create a new JSON file with your policy definition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
]
}
]
}
Common Actions:
s3:*- All actions (full access)s3:GetObject- Read objectss3:PutObject- Write/upload objectss3:DeleteObject- Delete objectss3:ListBucket- List bucket contentss3:GetBucketLocation- Get bucket locations3:ListAllMyBuckets- List all buckets
Resource Patterns:
arn:aws:s3:::*- All buckets and objectsarn:aws:s3:::my-bucket- Specific bucketarn:aws:s3:::my-bucket/*- All objects in a bucketarn:aws:s3:::my-bucket/prefix/*- Objects with prefix
2. Apply Policy Using MinIO Client (mc)
# Configure mc alias (one-time setup)
mc alias set myminio https://minio.example.com ACCESS_KEY SECRET_KEY
# Create the policy
mc admin policy create myminio policy-name path/to/policy.json
# List all policies
mc admin policy list myminio
# View policy details
mc admin policy info myminio policy-name
# Remove a policy
mc admin policy remove myminio policy-name
3. Assign Policy to Users or Groups
# Assign policy to a user
mc admin policy attach myminio policy-name --user username
# Assign policy to a group
mc admin policy attach myminio policy-name --group groupname
# List user policies
mc admin user info myminio username
Example Policies
Read-Only Access to Specific Bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Read-Write Access to Specific Prefix
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/uploads/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": ["uploads/*"]
}
}
}
]
}
Multiple Buckets with Different Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::public-bucket",
"arn:aws:s3:::public-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::private-bucket",
"arn:aws:s3:::private-bucket/*"
]
}
]
}
Tips
- Always test policies with a test user before applying to production
- Use
mc admin policy infoto verify policy is correctly formatted - Policies are applied immediately - no restart required
- Users can have multiple policies attached
- More specific policies take precedence over general ones
- Use groups to manage policies for multiple users efficiently
Troubleshooting
Policy not taking effect:
- Verify user/group has policy attached:
mc admin user info myminio username - Check MinIO server logs for policy evaluation errors
- Ensure bucket/prefix names match exactly (case-sensitive)
Access denied errors:
- Verify resource ARN matches the bucket/object pattern
- Check if actions include the operation being performed
- Ensure both bucket-level and object-level permissions are set