Minio policy to access specific subfolder inside bucket via web console

[vikram-opensrc]

Expected Behavior: User should be able to access the specific folder for which access is given via policy
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowStatement1",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::"]
},
{
"Sid": "AllowStatement4B",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": ["arn:aws:s3:::my-bucket"]
}
{
"Sid": "AllowStatement2B",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-bucket"],
"Condition":{"StringEquals":{"s3:prefix":["","media"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowStatement3",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-bucket"],
"Condition":{"StringLike":{"s3:prefix":["media/"]}}
},
{
"Sid": "AllowStatement4B",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": ["arn:aws:s3:::my-bucket/media/*"]
}
]
}

Actual Behavior:
User is able to get inside the bucket. But not able to get any content inside the bucket.
View with admin user:

View with user with policy:

[klauspost]

You are listing the root of the bucket. The user is not allowed to do that.

There is no "selective filtering" on results, so you are either allowed to list the prefix you are sending or you are not.

[vikram-opensrc]

Ok. So is it possible to provide a user access to only a particular sub folder inside a bucket? If yes could you guide me as to how?

[klauspost]

I can't think of a way.

For the folder to be visible it would require the root to be list-able, which would basically make the entire bucket list-able.

[tekkisse]

does https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html#iam-policy-ex1 not suggest you can filter to a sub folder ?

[binaryfire]

I’m also a bit confused. We’re looking at moving from S3 to Minio. S3 definitely allows you to apply different policies to different subfolders within a bucket.

Same with Wasabi: https://knowledgebase.wasabi.com/hc/en-us/articles/360003526671-How-Can-I-Make-a-Bucket-or-a-Folder-inside-a-Bucket-Public-

This is how we manage to use a single bucket per user for our app (containing both public and private subfolders).

Is this not possible with Minio?

[harshavardhana]

It is definitely possible, you are churning on an old discussion.

[laurabegin]

@harshavardhana How can it be achieved now? Could you give an example of a policy that gives access to a specific subfolder via the web console pls?

[gasgithub]

Here is sample policy file that gives access to the specific folder (myfolder) in the specific bucket (mybucket):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListInTheConsole",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Sid": "AllowRootLevelListingOfTheBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/myfolder"
            ]
        },
        {
            "Sid": "AllowListBucketOfASpecificFolder",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "myfolder/*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/myfolder/*"
            ]
        }
    ]
}

[wlcwfwyt]

good,it's OK

[andrei-ziminov]

We're encountering a consistent issue with our MinIO setup in a Kubernetes cluster, where we've mounted multiple PVCs that are organized as subfolders in a single bucket:

• uploads
• static
• cdn

Our goal is to fine-tune access control so that different teams are granted specific access to particular folders—specifically, we want some teams to access the static folder but not uploads, and vice versa.

Despite our efforts, the current policy configuration does not seem to work as expected. While it does allow visibility of the bucket itself, the contents remain inaccessible. Conversely, adjusting the policy often results in overly permissive access, exposing too much.

Below is the policy we've been trying to implement:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation"],
      "Resource": ["arn:aws:s3:::assisto"]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:List*", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::assisto"],
      "Condition": {
        "StringLike": {
          "s3:prefix": ["static/*"]
        }
      }
    }
  ]
}

Unfortunately, this policy allows us to see the bucket but not its files. We're seeking a solution that provides the necessary access without compromising on security or exposing too much.

Any insights or suggestions would be greatly appreciated.

Thank you!