LAB17: Minio Setup and Access

LAB 400: Minio Setup and Access policy

Create Directory

mkdir minio-docker && cd minio-docker

Create docker-compose.yaml

Create the file:

version: '3.8'

services:
  minio:
    image: quay.io/minio/minio:latest
    container_name: minio
    ports:
      - "9000:9000"     # S3 endpoint
      - "9090:9090"     # MinIO console
    volumes:
      - ./data:/data
    environment:
      MINIO_ROOT_USER: "admin"
      MINIO_ROOT_PASSWORD: "admin12345"
    command: server /data --console-address ":9090"
    restart: always

Start MinIO

docker compose up -d

Check logs:

docker logs -f minio

Access MinIO

Service

URL

MinIO Console UI

http://localhost:9090

S3 API Endpoint

http://localhost:9000

Username: admin
Password: admin12345

Installing client tool and RBAC Example

Install MinIO Client (mc)

curl -O https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
sudo mv mc /usr/local/bin/

Configure connection:

mc alias set local http://localhost:9000 admin admin12345

Creating object storage (bucket) for Globomantics-hotel deployment

set an alias (local):

 mc alias set local http://localhost:9000 admin admin12345

STEP 2 — Create a New IAM User

mc admin user add local appuser StrongPass123!

Verify:

mc admin user info local appuser

STEP 3 — Create an S3-Compatible Service Account (Access Key)

mc admin user svcacct add local appuser

Output example:

AccessKey: YU73HD83JJSKSKS92
SecretKey: hdhw827dhs8s7dhs8s8dhs8sh

Save these — they are your S3 keys.

STEP 4 — Create a Bucket

mc mb local/visiting-cards

STEP 5 — Create Policy Files

5.1 Full-access policy

Create:

cat > visiting-cards-full.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": [
        "arn:aws:s3:::visiting-cards",
        "arn:aws:s3:::visiting-cards/*"
      ]
    }
  ]
}
EOF

Create policy:

mc admin policy create local visiting-cards-full visiting-cards-full.json

Attach to user:

mc admin policy attach local visiting-cards-full --user appuser

STEP 7 — Use the Newly Created Access Keys

Set alias using the SERVICE ACCOUNT Keys:

mc alias set app http://localhost:9000 17M1PHYN77QDH1QEFAWK gVnmRRvFWN1lKXOSpDs3qyppEWGHfzsSP7R4k8BH

Test:

mc ls app/visiting-cards

STEP 8 — Upload & Download Files

Upload:

mc cp test.jpg app/visiting-cards

Download:

mc cp app/visiting-cards/test.jpg .

List:

mc ls app/visiting-cards

:::spoiler Excercise

MINIO IAM & POLICY ADMINISTRATION — FULL LAB GUIDE

mc alias set local http://localhost:9000 admin admin12345

SECTION 1 — Create Users + Attach Policies

Create a new user

mc admin user add local devuser StrongPass123!
mc admin user add local readonlyuser Pass123!
mc admin user add local writeruser Pass123!

Verify:

mc admin user list local

SECTION 2 — Create Bucket & Policies

Create bucket:

mc mb local/mybucket

2.1 FULL ACCESS POLICY (mybucket-full)

Create file: mybucket-full.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": [
        "arn:aws:s3:::mybucket",
        "arn:aws:s3:::mybucket/*"
      ]
    }
  ]
}

Create policy:

mc admin policy create local mybucket-full mybucket-full.json

Attach to user:

mc admin policy attach local mybucket-full --user devuser

2.2 READ-ONLY POLICY (mybucket-readonly)

Create file: mybucket-readonly.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::mybucket",
        "arn:aws:s3:::mybucket/*"
      ]
    }
  ]
}

Create policy:

mc admin policy create local mybucket-readonly mybucket-readonly.json

Attach:

mc admin policy attach local mybucket-readonly --user readonlyuser

2.3 READ-WRITE POLICY (mybucket-readwrite)

Create file: mybucket-readwrite.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject", 
        "s3:ListBucket",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::mybucket",
        "arn:aws:s3:::mybucket/*"
      ]
    }
  ]
}

Create:

mc admin policy create local mybucket-readwrite mybucket-readwrite.json

Attach:

mc admin policy attach local mybucket-readwrite --user writeruser

SECTION 3 — Generate S3-Compatible Access Keys

MinIO does NOT give access keys directly to users → You MUST create service accounts.

3.1 Create Service Account Keys

For devuser:

mc admin user svcacct add local devuser

Example output:

AccessKey:  2JDSKWLDMX21
SecretKey:  AUEOW993KSKDLSKSK9902LLL

For readonly:

mc admin user svcacct add local readonlyuser

For write user:

mc admin user svcacct add local writeruser

3.2 Save alias for each user

Dev user:

mc alias set dev http://localhost:9000 ACCESS_KEY SECRET_KEY

Readonly:

mc alias set ro http://localhost:9000 ACCESS_KEY SECRET_KEY

Writer:

mc alias set rw http://localhost:9000 ACCESS_KEY SECRET_KEY

SECTION 4 — File Upload & Download (MC)

Dev user (full access):

Upload file:

mc cp file.txt dev/mybucket

Download:

mc cp dev/mybucket/file.txt .

List:

mc ls dev/mybucket

SECTION 5 — File Operations Using AWS CLI

Configure AWS CLI:

aws configure

Enter:

Access key
Secret key
Region: us-east-1
Output: json

Upload:

aws s3 cp file.txt s3://mybucket --endpoint-url http://localhost:9000

Download:

aws s3 cp s3://mybucket/file.txt . --endpoint-url http://localhost:9000

List:

aws s3 ls s3://mybucket --endpoint-url http://localhost:9000

SECTION 6 — RBAC LAB EXAMPLES

Try these real RBAC scenarios in your lab.

6.1 User can access only a folder inside bucket

Create folder-level policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": [
        "arn:aws:s3:::mybucket/projectA",
        "arn:aws:s3:::mybucket/projectA/*"
      ]
    }
  ]
}

Apply:

mc admin policy create local projectA-full projectA-full.json
mc admin policy attach local projectA-full --user devuser

6.2 Prevent Delete Operations

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": ["s3:DeleteObject"],
      "Resource": ["arn:aws:s3:::mybucket/*"]
    }
  ]
}

6.3 Bucket Listing Denied

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::mybucket"]
    }
  ]
}

6.4 Multiple Buckets With Different Access

Dev:

Full on devbucket
Read on shared

Writer:

Write only on uploads

You create 3 policies + attach accordingly. :::

PreviousLAB16a: Deploying Stateful Application NextLAB18: Etcd Backup & Restore

Last updated 1 month ago

Good night

hashtagLAB 400: Minio Setup and Access policy

hashtagInstalling client tool and RBAC Example

hashtagCreating object storage (bucket) for Globomantics-hotel deployment

hashtagSTEP 1 — Login as Admin (Root User)

hashtagMINIO IAM & POLICY ADMINISTRATION — FULL LAB GUIDE

hashtagSECTION 3 — Generate S3-Compatible Access Keys

hashtagSECTION 4 — File Upload & Download (MC)

hashtagSECTION 5 — File Operations Using AWS CLI

hashtagUpload:

hashtagDownload:

hashtagList:

hashtagSECTION 6 — RBAC LAB EXAMPLES

LAB 400: Minio Setup and Access policy

Installing client tool and RBAC Example

Creating object storage (bucket) for Globomantics-hotel deployment

STEP 1 — Login as Admin (Root User)

MINIO IAM & POLICY ADMINISTRATION — FULL LAB GUIDE

SECTION 3 — Generate S3-Compatible Access Keys

SECTION 4 — File Upload & Download (MC)

SECTION 5 — File Operations Using AWS CLI

Upload:

Download:

List:

SECTION 6 — RBAC LAB EXAMPLES