I have a Min.io instance correctly configured and running in a docker container environment. It is fully integrated with an external OpenID provider (a Keycloak container) to manage SSO logins and registrations.
The Min.io instance has two separate buckets with the following structure:
- bucket "bucket1" - folder "function3" - folder "users" - folder "user1" - folder "user2" - bucket "bucket2" - folder "function1" - folder "function2"
I want to implement a new policy to control access to the buckets, specifically:
- Every user can only read the contents of bucket
bucket2 - Every user, denoted as
$user, can read and write on thebucket1/function3/users/$userand eventually just read everywhere else (e.g.user1can read and write onbucket1/function3/users/user1but cannot write -possibly also cannot read but it's not required- onbucket1/function3/users/user2)
So far, I've tried the following approach
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket1"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket1/*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket1/function3/users/${aws:username}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket2/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket2"
}
]
}
but it doesn't fully fit. Infact:
- Every user can correctly only read the contents of bucket
bucket2✅ - The specific user (e.g.
user1) cannot even readbucket1or its content (included the subfolderbucket1/function3/users/user1) ❌
As a temporary workaround solution, I’ve created a dedicated policy rule for each user to grant access to the necessary subpath statically. Is there a way to create a single dynamic policy that can apply to all users for this purpose?
I have a Min.io instance correctly configured and running in a docker container environment. It is fully integrated with an external OpenID provider (a Keycloak container) to manage SSO logins and registrations.
The Min.io instance has two separate buckets with the following structure:
- bucket "bucket1" - folder "function3" - folder "users" - folder "user1" - folder "user2" - bucket "bucket2" - folder "function1" - folder "function2"
I want to implement a new policy to control access to the buckets, specifically:
- Every user can only read the contents of bucket
bucket2 - Every user, denoted as
$user, can read and write on thebucket1/function3/users/$userand eventually just read everywhere else (e.g.user1can read and write onbucket1/function3/users/user1but cannot write -possibly also cannot read but it's not required- onbucket1/function3/users/user2)
So far, I've tried the following approach
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket1"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket1/*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket1/function3/users/${aws:username}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket2/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket2"
}
]
}
but it doesn't fully fit. Infact:
- Every user can correctly only read the contents of bucket
bucket2✅ - The specific user (e.g.
user1) cannot even readbucket1or its content (included the subfolderbucket1/function3/users/user1) ❌
As a temporary workaround solution, I’ve created a dedicated policy rule for each user to grant access to the necessary subpath statically. Is there a way to create a single dynamic policy that can apply to all users for this purpose?
Share Improve this question asked Mar 25 at 14:59 pheeleeppoopheeleeppoo 1,5356 gold badges26 silver badges31 bronze badges 1 |1 Answer
Reset to default 0It understands that the problem was on the parameter ${aws:username} . Infact this parameter is referring to the supported S3 policy keys (see the Min.io documentation for further details).
Since the solution here is including an external OpenID connection (e.g. KeyCloak) we should use one of the supported policy variables for use in authorizing OIDC-managed users. The list of supported variable can be find here.
Finally, the working solution is obtained substituting the parameter ${aws:username} with the parameter ${jwt:preferred_username} (the field inside the token that Min.io could read from KeyCloak). The right policy is the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket1"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket1/*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket1/function3/users/${jwt:preferred_username}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket2/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket2"
}
]
}
${aws:username}parameter is not properly read because it refers to the internal Min.io user management – pheeleeppoo Commented Apr 1 at 9:06