Minio IAM

Admin service account

Set temporary admin alias:

mc alias set admin_tmp $URL admin $ADMIN_PW

Add serviceaccount to the admin account:

mc admin user svcacct add admin_tmp admin \
  --name admin --description "Generic admin serviceaccount"

Use shown access and secret key to create a new alias:

mc alias rm admin_tmp
mc alias set admin $URL ACCESSKEY SECRETKEY

Test if serviceaccount works:

mc admin info admin

Show information about accesskey including attached policy:

mc admin user svcacct info admin ACCESSKEY
mc admin user svcacct info admin ACCESSKEY --policy

Users and service accounts

Create a user:

mc admin user add pinenas-pub-admin newuser newusersecret

Add serviceaccount to varac's account:

mc admin user svcacct add pinenas-pub-varac varac \
  --name restic-zancas --description "Restic backup on zancas"

Show information about accesskey including attached policy:

mc admin user svcacct info restic-zancas ACCESSKEY --policy

List all Serviceaccounts associated to an account:

mc admin user svcacct list pinenas-pub-admin varac

Policies

List all global policies:

mc admin policy list admin

Dump readwrite (default) policy and write to file:

mc admin policy info pinenas-pub-admin readwrite | \
  jq .Policy > ~/projects/cloud/storage/minio/policies/readwrite.json

Create global policy:

mc admin policy create admin seedvault seedvault.json

Attach global policy to user:

mc admin policy attach admin --user seedvault readwrite

Remove/detach global policy from user:

mc admin policy detach admin readwrite --user seedvault

Create a bucket:

mc mb admin/seedvault

And allow serviceaccount to use it (rw):

jq '.Statement[0].Resource = ["arn:aws:s3:::restic.zancas/*"]' \
  ~/projects/cloud/storage/minio/policies/readwrite.json > /tmp/policy-new.json
mc admin user svcacct edit --policy /tmp/policy-new.json \
  pinenas-pub-admin ACCESSKEY

List all users with theis associated accesskeys:

mc admin accesskey ls admin