Skip to content

Limit user access to buckets using MinIO policy variables

Jump to bottom
Allan Roger Reid edited this page Mar 22, 2024 · 3 revisions

https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#id9

Using this, users that login have access ONLY to the buckets that begin with their username

Create policy

cat << EOF > bucketpolicy.json
{
  "Version": "2012-10-17",
  "Statement": [
      {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": [
        "arn:aws:s3:::${aws:username}-bucket"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::${aws:username}-bucket/*"
      ]
    }
  ]
}
EOF

Setup minio

wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
sudo mv minio /usr/local/bin

wget https://dl.min.io/client/mc/release/linux-amd64/mc >> /tmp/minio.log
chmod +x mc
sudo mv mc /usr/local/bin

minio server /tmp/data --address :9000 --console-address :9090

mc alias set ait http://127.0.0.1:9000 minioadmin minioadmin

Define resources

for r in $(seq 0 3);
do
    mc rb --force ait/ait-$r-bucket
    mc mb ait/ait-$r-bucket
done

mc admin policy rm ait bucketpolicy
mc admin policy create ait bucketpolicy bucketpolicy.json
mc admin policy info ait bucketpolicy

for r in $(seq 0 3);
do
    mc admin user add ait ait-$r minioadmin
    mc admin policy detach ait bucketpolicy --user ait-$r
    mc admin policy attach ait bucketpolicy --user ait-$r
    mc admin policy entities ait --user ait-$r
done

Login and try to access buckets

Observe that only user ait-$i can manipulate

Clone this wiki locally