Skip to content

Instantly share code, notes, and snippets.

@5paceToast 5paceToast/README.md
Created Jan 14, 2020

Embed
What would you like to do?
Useful MinIO policies

Some useful policies for MinIO

A small collection, because reasons.

User Policies

To apply these:

  1. Download the file.
  2. mcli admin policy add MYMINIO NAME NAME.json (replace MYMINIO with your configured instance and NAME with the filename).
  3. mcli admin policy set MYMINIO NAME user=USER (same as above, replace USER with the user you want to configure).

UserOnly.json

This grants the user in question access to ONLY the bucket that matches that user's name. For example, the user "foo" will have access ONLY to the "foo" bucket, and no others. If they run a listing, they will only see their own bucket.

UserPrefix.json

This grants the user in question access to ANY bucket that matches the user's name as a prefix. For example, the user "foo" will have access to the bucket "foo" and "foobar", but not "barfoo". They will be able to list any buckets they have access to, but no others.

Bucket Policies

To apply these:

  1. Download the file.
  2. EDIT the file - replace BUCKETNAME with the name of the bucket you want to apply these to.
  3. mcli policy set-json ./FILE.json MYMINIO/BUCKETNAME (where FILE.json is the EDITED file, MYMINIO is your configured instance and BUCKETNAME is the name of the bucket you want to apply this to).
  4. Repeat 2-3 for every bucket you want to modify.

FetchOnly.json

This policy is similar to ReadOnly in that it allows fetching any object in the bucket. However, it does NOT allow listing objects in that bucket. This can be useful to make a computation attack more expensive when sharing files in a federated fashion.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKETNAME/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::${aws:username}",
"arn:aws:s3:::${aws:username}/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::${aws:username}*",
"arn:aws:s3:::${aws:username}*/*"
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.