how to assign a policy to a bucket ?

[dberardo-com]

buckets and policies are created correctly using the examples in the readme, but how to assign the policies to the buckets ??

[alexisdondon]

Hi thanks for your contribution, the operator is for the moment only doing bucket and policy and for the minio provider.

In mynio there is no bucket on policy, the policy just open some actions on bucket/prefix link to a user external or managed.

[dberardo-com]

i am not sure i understood your point 100%. i am using minio and from the UI i am able to create custom policies and assign them to buckets using a specific selector.

i am not currently aware of any way to assign a policy to a bucket directly from the policy definition itself. is this what you are referring to perhaps ?

[phlg]

Hello, sorry for the delay in answering.

The operator only manages the creation of "canned policies" through the use of the madmin Go client. I am not sure these policies can be attached to buckets, as one of these policies could include statement spanning several different buckets.

FWIW, our users are authenticated with STS, and have the policies attached by a dedicated claim in their JWT.

[dberardo-com]

my use case is the following:

• i am using Minio Operator to create a new bucket programmatically, whenever a new user gets created in the DB
• this bucket will have a dedicated folder (such as "public") which is, indeed "public" for downloads

i would like this to happen all automatically, that's why i am asking whether it can be handled solely using CRDs.

of course every user authenticates using a JWT, but i am not sure how to add information for MinIO within that token, if that's what you mean

[phlg]

Sorry yet again for the delay, despite my notification settings, I guess my company's mail server filters out these mails from Github.

Using s3-operator, you can create the bucket and the "public" with a Bucket CR, Then to manage the rights relative to that bucket/path, you have several options :

• For unauthenticated users, s3-operator doesn't help - you need to use mc anonymous commands or Minio Console to manage that.
• For users authenticated with STS, the tool used to generate your user's JWT can be configured to reference one or more policy names. You can then manage said policies with the Policy CR from s3-operator, and manage access to your bucket/path like this. For example, we use Keycloak, and have configured some custom mappers to ensure our users' JWT contain a policy claim, which is then used by Minio to "attach" these policies to the users.
• Lastly, you can also manage Minio users with the recent S3User CR (from v0.10.1 onwards), though this might not be what you need since you already have JWT based authentication setup. But for completion's sake, when using this CR to create Minio users, you can set which policies you want these users to have, with said policies being manageable with s3-operator as well.

Still not sure this answers your question, but hopefully it will help you deciding whether s3-operator can fit your needs.