23
MinIO - Bind a user to one bucket policy (lmy.mymte.de)
submitted 1 year ago by morethanevil@lmy.mymte.de to c/selfhosted@lemmy.world
5 comments fedilink hide all child comments

I was looking a long time for a policy which binds a user to a bucket. The docs are not very helpful for beginners, but I talked with an advanced user and he said it is okay to share his solution, since he is not on Lemmy

Create a new policy and fill this in:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::${aws:username}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::${aws:username}/*"
            ]
        }
    ]
}

If you now create a user, just assign the user to only this policy, nothing more. The user is now allowed to create a bucket with the same name as the users. So a user Alex can only create the bucket alex and has complete access to it. The user won't see other users buckets.

All credits belongs to the very helpful person, not me ☝🏻☺️

top 5 comments
sorted by: hot top controversial new old
[-] ndguardian@lemmy.studio 2 points 1 year ago

Hmm…this should work but I do have a concern on it based on my experience with AWS. Maybe this is different with minio though.

In AWS, S3 bucket names are globally unique. Not just to your AWS account, but across ALL S3 buckets period. So let’s say you have a username of “test” and use that policy. If that user attempts to create a bucket and that bucket name is taken, well that user is out of luck.

Obviously if minio doesn’t require globally unique bucket names you’re probably fine, but otherwise this could realistically become a problem.

[-] morethanevil@lmy.mymte.de 3 points 1 year ago

In MinIO you can selfhost the server. I named a bucket and user alex and I am pretty sure someone had the same idea 😁

Bucket and usernames don't need to be globally unique in MinIO. I tried the policy and it worked pretty good ☺️

[-] ndguardian@lemmy.studio 3 points 1 year ago

Ah, neat! Yeah that would work then. I'd hope that your usernames are unique in your self-hosted setup, so that should work just fine. Very nice!

[-] sheeeep@lemmy.world 1 points 1 year ago

Cool, this way you could have a private store for each user. I wonder if you could also use this for roles and federated signups somehow. Also maybe you can enable primitive sharing if you use wildcards on both sides.

[-] morethanevil@lmy.mymte.de 1 points 1 year ago

Yes each user can have a private bucket and only this one. I am not this much into policies and I was lucky to get this template.

Maybe it gives you an idea how to modify it for your needs. If you found a solution, please share ☺️

this post was submitted on 06 Aug 2023
23 points (96.0% liked)

Selfhosted

39143 readers
382 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz