Minio policy to access specific subfolder inside bucket via web console #13869
-
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 4 replies
-
You are listing the root of the bucket. The user is not allowed to do that. There is no "selective filtering" on results, so you are either allowed to list the prefix you are sending or you are not. |
Beta Was this translation helpful? Give feedback.
-
Ok. So is it possible to provide a user access to only a particular sub folder inside a bucket? If yes could you guide me as to how? |
Beta Was this translation helpful? Give feedback.
-
I can't think of a way. For the folder to be visible it would require the root to be list-able, which would basically make the entire bucket list-able. |
Beta Was this translation helpful? Give feedback.
-
does https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html#iam-policy-ex1 not suggest you can filter to a sub folder ? |
Beta Was this translation helpful? Give feedback.
-
I’m also a bit confused. We’re looking at moving from S3 to Minio. S3 definitely allows you to apply different policies to different subfolders within a bucket. Same with Wasabi: https://knowledgebase.wasabi.com/hc/en-us/articles/360003526671-How-Can-I-Make-a-Bucket-or-a-Folder-inside-a-Bucket-Public- This is how we manage to use a single bucket per user for our app (containing both public and private subfolders). Is this not possible with Minio? |
Beta Was this translation helpful? Give feedback.
-
We're encountering a consistent issue with our MinIO setup in a Kubernetes cluster, where we've mounted multiple PVCs that are organized as subfolders in a single bucket:
Our goal is to fine-tune access control so that different teams are granted specific access to particular folders—specifically, we want some teams to access the static folder but not uploads, and vice versa. Despite our efforts, the current policy configuration does not seem to work as expected. While it does allow visibility of the bucket itself, the contents remain inaccessible. Conversely, adjusting the policy often results in overly permissive access, exposing too much. Below is the policy we've been trying to implement: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetBucketLocation"],
"Resource": ["arn:aws:s3:::assisto"]
},
{
"Effect": "Allow",
"Action": ["s3:List*", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::assisto"],
"Condition": {
"StringLike": {
"s3:prefix": ["static/*"]
}
}
}
]
} Unfortunately, this policy allows us to see the bucket but not its files. We're seeking a solution that provides the necessary access without compromising on security or exposing too much. Any insights or suggestions would be greatly appreciated. Thank you! |
Beta Was this translation helpful? Give feedback.
I can't think of a way.
For the folder to be visible it would require the root to be list-able, which would basically make the entire bucket list-able.