How to set up access control and IAM policies in MinIO?

Question

How do I properly configure access control, user management, and IAM policies in MinIO to secure my object storage and control who can access what resources?

Answer

MinIO provides comprehensive Identity and Access Management (IAM) features that allow you to control access to your object storage resources. Here’s a complete guide to setting up secure access control:

Overview of MinIO IAM

MinIO IAM supports:

Users and Groups: Local user management
Service Accounts: For application access
Policies: Fine-grained permission control
External Identity Providers: LDAP, OIDC, AD
Temporary Credentials: STS (Security Token Service)

1. Initial Admin Setup

Change Default Credentials

# Set strong root credentials (before first start)
export MINIO_ROOT_USER=minio-admin
export MINIO_ROOT_PASSWORD=SecurePassword123!

# Or in /etc/minio/minio.conf
MINIO_ROOT_USER=minio-admin
MINIO_ROOT_PASSWORD=SecurePassword123!

Configure MinIO Client

# Install MinIO client
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc && sudo mv mc /usr/local/bin/

# Add your MinIO server
mc alias set myminio http://localhost:9000 minio-admin SecurePassword123!

# Verify connection
mc admin info myminio

2. User Management

Creating Users

# Create a new user
mc admin user add myminio alice SecurePassword456!

# Create user with specific permissions
mc admin user add myminio bob SecurePassword789!

# List all users
mc admin user list myminio

# Show user info
mc admin user info myminio alice

User Operations

# Enable/disable user
mc admin user enable myminio alice
mc admin user disable myminio bob

# Remove user
mc admin user remove myminio bob

# Change user password
mc admin user add myminio alice NewSecurePassword!

3. Group Management

Creating and Managing Groups

# Create a group
mc admin group add myminio developers alice bob charlie

# Add users to existing group
mc admin group add myminio developers dave

# Remove users from group
mc admin group remove myminio developers charlie

# List all groups
mc admin group list myminio

# Show group info
mc admin group info myminio developers

4. Policy Configuration

Built-in Policies

MinIO includes several predefined policies:

# List built-in policies
mc admin policy list myminio

# Common built-in policies:
# - readwrite: Full access to all resources
# - readonly: Read-only access to all resources
# - writeonly: Write-only access to all resources
# - diagnostics: Access to diagnostic information

Creating Custom Policies

Read-Only Bucket Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Upload-Only Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::uploads/*"
      ]
    }
  ]
}

Department-Specific Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::company-data"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "marketing/*",
            "public/*"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::company-data/marketing/*",
        "arn:aws:s3:::company-data/public/*"
      ]
    }
  ]
}

Applying Policies

# Create policy from file
mc admin policy create myminio readonly-bucket readonly-bucket-policy.json

# Apply policy to user
mc admin policy attach myminio readonly-bucket --user alice

# Apply policy to group
mc admin policy attach myminio readonly-bucket --group developers

# Detach policy
mc admin policy detach myminio readonly-bucket --user alice

# List user policies
mc admin user info myminio alice

5. Service Accounts

Service accounts provide programmatic access without exposing user credentials:

Creating Service Accounts

# Create service account for user
mc admin user svcacct add myminio alice

# Create service account with custom access/secret keys
mc admin user svcacct add myminio alice \
  --access-key "AKIAIOSFODNN7EXAMPLE" \
  --secret-key "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

# Create service account with policy
mc admin user svcacct add myminio alice --policy readonly-bucket

# List service accounts
mc admin user svcacct list myminio alice

# Service account info
mc admin user svcacct info myminio AKIAIOSFODNN7EXAMPLE

Service Account Operations

# Enable/disable service account
mc admin user svcacct enable myminio AKIAIOSFODNN7EXAMPLE
mc admin user svcacct disable myminio AKIAIOSFODNN7EXAMPLE

# Update service account policy
mc admin user svcacct edit myminio AKIAIOSFODNN7EXAMPLE --policy new-policy

# Remove service account
mc admin user svcacct remove myminio AKIAIOSFODNN7EXAMPLE

6. External Identity Providers

LDAP Configuration

Add to MinIO configuration:

# LDAP Settings
MINIO_IDENTITY_LDAP_SERVER_ADDR=ldap.company.com:389
MINIO_IDENTITY_LDAP_USERNAME_FORMAT="uid=${username},cn=accounts,dc=company,dc=com"
MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectclass=groupOfNames)(member=${username}))"
MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE=cn
MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="cn=groups,cn=accounts,dc=company,dc=com"

# TLS Settings (recommended)
MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=off
MINIO_IDENTITY_LDAP_SERVER_INSECURE=off

OIDC/OAuth Configuration

# OpenID Connect Settings
MINIO_IDENTITY_OPENID_CONFIG_URL=https://accounts.google.com/.well-known/openid_configuration
MINIO_IDENTITY_OPENID_CLIENT_ID=your-client-id
MINIO_IDENTITY_OPENID_CLIENT_SECRET=your-client-secret
MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email
MINIO_IDENTITY_OPENID_REDIRECT_URI=https://console.minio.example.com/oauth_callback

7. Bucket Policies

Setting Bucket-Level Policies

# Set public read policy on bucket
mc anonymous set public myminio/public-bucket

# Set download-only policy
mc anonymous set download myminio/downloads-bucket

# Remove anonymous access
mc anonymous set none myminio/private-bucket

# Custom bucket policy
cat > bucket-policy.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::public-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/public": "true"
        }
      }
    }
  ]
}
EOF

mc anonymous set-json bucket-policy.json myminio/public-bucket

8. Advanced Security Features

Encryption Configuration

# Server-side encryption with MinIO managed keys
MINIO_KMS_SECRET_KEY=my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=

# External KMS (HashiCorp Vault)
MINIO_KMS_VAULT_ENDPOINT=https://vault.example.com:8200
MINIO_KMS_VAULT_AUTH_TYPE=approle
MINIO_KMS_VAULT_APPROLE_ID=your-role-id
MINIO_KMS_VAULT_APPROLE_SECRET=your-secret-id
MINIO_KMS_VAULT_KEY_NAME=minio-default-key

Audit Logging

# Enable audit logging
MINIO_AUDIT_WEBHOOK_ENABLE=on
MINIO_AUDIT_WEBHOOK_ENDPOINT=https://webhook.example.com/minio-audit
MINIO_AUDIT_WEBHOOK_AUTH_TOKEN=your-auth-token

# Audit log format
MINIO_AUDIT_WEBHOOK_CLIENT_CERT=/path/to/client.crt
MINIO_AUDIT_WEBHOOK_CLIENT_KEY=/path/to/client.key

9. Security Best Practices

Password Policies

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyInsecureConnections",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::*",
        "arn:aws:s3:::*/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Regular Security Maintenance

# Rotate service account keys regularly
mc admin user svcacct edit myminio AKIAIOSFODNN7EXAMPLE --secret-key "NewSecretKey"

# Review user access regularly
mc admin user list myminio
mc admin group list myminio

# Monitor active sessions
mc admin trace myminio

# Review policies
mc admin policy list myminio

10. Example Use Cases

Application Access Pattern

# 1. Create application user
mc admin user add myminio app-user AppSecurePassword!

# 2. Create application-specific policy
cat > app-policy.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::app-data/*"
      ]
    }
  ]
}
EOF

mc admin policy create myminio app-policy app-policy.json

# 3. Create service account with policy
mc admin user svcacct add myminio app-user --policy app-policy

# 4. Use service account credentials in application

Multi-Tenant Setup

# Create tenant groups
mc admin group add myminio tenant-a user1 user2
mc admin group add myminio tenant-b user3 user4

# Create tenant-specific policies
cat > tenant-a-policy.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": [
        "arn:aws:s3:::tenant-a-*",
        "arn:aws:s3:::tenant-a-*/*"
      ]
    }
  ]
}
EOF

mc admin policy create myminio tenant-a-policy tenant-a-policy.json
mc admin policy attach myminio tenant-a-policy --group tenant-a

Troubleshooting Access Issues

Check User Status: Verify user is enabled
Verify Policies: Ensure correct policies are attached
Test Permissions: Use mc client to test access
Review Logs: Check MinIO server logs for access denials
Validate Network: Ensure proper network connectivity

This comprehensive access control setup provides secure, scalable user and permission management for your MinIO deployment.