Tags
Today in my homelab I wanted to setup a new service that needed a MinIO access key. So I created a new user and a new access key with the MinIO CLI rather than poking through the ui like I have before.
{.more-cinematic}
Global Level vs User Level
The MinIO CLI has two levels of access, global and user level. Most of the commands in this post will have several ways to do similar tasks that would potentially work. We are going to prefer to use the user level commands for more control. For some commands such as listing Keys it is handy to use the global level.
The Policy
First we are going to make a new policy file named mypages_rw_policy.json
.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
Set the Minio Alias
Before we can create new access keys we will need to start by settin up an alias in minio that has admin rights to the minio server.
# default values
export MINIO_ACCESS_KEY=minioadmin
export MINIO_SECRET_KEY=minioadmin
mc alias set myminio https://myminio.example.com $MINIO_ACCESS_KEY $MINIO_SECRET_KEY
Check to see if your alias exists.
mc alias list
The Script
Now we are going to pick a SECRETKEY and a NEWUSERNAME, create the policy, create the user, attach the policy to the user and add the user to the alias.
#!/bin/bash
NEWUSERNAME=MYPAGESUSER
NEWPASSWORD=mysupersecretkey
echo USERNAME: $NEWUSERNAME
echo PASSWORD: $NEWPASSWORD
create a new policy for read/write to the bucket #
mc admin policy create myminio mybucket-readwrite mypages_rw_policy.json
create a new user #
mc admin user add myminio $NEWUSERNAME $NEWPASSWORD
attach the policy to the user, giving them read/write to the bucket #
mc admin policy attach myminio mybucket-readwrite --user $NEWUSERNAME
add the user to the alias #
mc config host add myminio https://minio.wayl.one $NEWUSERNAME $NEWPASSWORD
create a new access key for the user with thier permissions #
mc admin user svcacct add
myminio MYPAGESUSER
--name mypagesRWKey
--description "MYPAGESUSER Key for myminio"
--expiry 2025-03-01
NEWSECRETKEY
3e11************************************************************
Access Key: IL4*****************
Secret Key: M3D*************************************
Expiration: 2025-03-01 06:00:00 +0000 UTC
!!! Attention * This is the secret key, do not share it with anyone. * This secret key will only be displayed once here, make sure you copy it to a secure location now.
Give it a test
Now we can test that it works, by creating a file and copying it into the bucket.
# set up to work with the aws cli
export AWS_DEFAULT_REGION=us-east-1
export AWS_ACCESS_KEY_ID=IL4*****************
export AWS_SECRET_ACCESS_KEY=M3D*************************************
export AWS_ENDPOINT_URL=https://myminio.example.com
create a test file #
echo "You How" > hi-hello.txt
upload the file #
aws s3 cp hi-hello.txt s3://mybucket/hi-hello.txt
test the file exists #
aws s3 ls s3://mybucket
output #
2025-02-02 19:25:02 8 hi-hello.txt #
!!! note I am using the aws cli to test, I installed it with pip.
``` bash
pipx install awscli
```
Managing Access Keys
You can list all of the access keys for a user, or all users.
# for one user
mc admin accesskey ls myminio/ MYPAGESUSER
for all users #
mc admin accesskey ls myminio/ --all
The output will show you all of the access keys for each user.
User: MYPAGESUSER
Access Keys:
IL4*****************, expires: 3 weeks from now, sts: false
You can also get a list of the service accounts for a user with this command.
mc admin user svcacct ls myminio/ MYPAGESUSER
Access Key | Expiry
IL4***************** | 2025-03-01 06:00:00 +0000 UTC
!!! Note You cannot see all of these keys from the web ui, the cli seems to be the only way to display all access keys, including access keys for other users.
Creating an RO Access Key
I ran into errors when trying to create a new key with exactly the same permissions as the user, I'm not sure if adding a policy that does not match the user is allowed or not.
I made a new policy that has read only access to the bucket as mypages_ro_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mypages"
]
},
{
"Action": [
"s3:GetObject",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mypages/*"
]
}
]
}
This command will use the above policy to create a new read only access key.
mc admin user svcacct add \
myminio MYPAGESUSER \
--name mypagesRWKey \
--description "MYPAGESUSER READ ONLY Key for myminio" \
--expiry 2025-03-01 \
--policy mypages_ro_policy.json
The output will show you the access key and secret key.
Access Key: KDM*****************
Secret Key: 8Ww*************************************
Expiration: 2025-03-01 06:00:00 +0000 UTC
!!! Attention * This is the secret key, do not share it with anyone. * This secret key will only be displayed once here, make sure you copy it to a secure location now.
Removing a service account
If you want to remove a service account, you can use the rm
command to remove
the Access Key, by alias and Access Key.
mc admin user svcacct rm myminio/ QH6*****************
Getting info
You can get the info for a user or service accounts using the info
subcommands.
⬢ [devtainer] ❯ mc admin user info minio-wayl-one/ MYPAGESUSER
AccessKey: MYPAGESUSER
Status: enabled
PolicyName: mypages-readwrite
MemberOf: []
⬢ [devtainer] ❯ mc admin user svcacct ls minio-wayl-one/ MYPAGESUSER
Access Key | Expiry
KDM***************** | 2025-03-01 06:00:00 +0000 UTC
IL4***************** | 2025-03-01 06:00:00 +0000 UTC
⬢ [devtainer] ❯ mc admin user svcacct info myminio/ IL4*****************
AccessKey: IL4*****************
ParentUser: MYPAGESUSER
Status: on
Name: mypagesRWKey
Description: MYPAGESUSER Key for myminio
Policy: implied
Expiration: 3 weeks from now
⬢ [devtainer] ❯ mc admin user svcacct info myminio/ KDM*****************
AccessKey: KDM*****************
ParentUser: MYPAGESUSER
Status: on
Name: mypagesRWKey
Description: MYPAGESUSER READ ONLY Key for myminio
Policy: embedded
Expiration: 3 weeks from now