Comments (4)
So it appears that I'm slightly incorrect, ${jwt:groups}
does substitute the variable, but only with the first element when its an array of values; at least in terms of what my policy and requests authorize in testing.
...
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::testbucket1/${jwt:groups}",
"arn:aws:s3:::testbucket1/${jwt:groups}/*"
]
}
...
There doesn't seem to be any way to index them individually.
from minio.
Right now, we need cycles to take this up @rvIceBreaker. I suggest pushing our roadmaps by becoming a customer if you have a production requirement.
However, this is not a priority and will be addressed later if and when we find some time.
from minio.
You can use jwt:groups
as part of the ForAnyValue
or ForAllValues
conditionals. However, these are not supported in the resources and will only use the first element.
from minio.
@harshavardhana I appreciate the response, this information isn't really clearly stated anywhere so hopefully this thread can save someone else some time.
As far as I can tell using ForAnyValues
/ForAllValues
on s3:ListBucket
->s3:prefix
also only matches against the first element.
//s3:ListBucket statement
"Condition": {
"ForAllValues:StringLike": {
"s3:prefix": [
"${jwt:groups}",
"${jwt:groups}/*"
]
}
}
//s3:GetObject statement
"Resource": [
"arn:aws:s3:::testbucket1/*"
]
In my testing, the above effectively only allows listing from the first element in ${jwt:groups}
, though I can GetObject
on a known object path that differs.
from minio.
Related Issues (20)
- minio stuck on May 22 01:11:42 idk systemd[1]: Starting MinIO... May 22 01:11:42 idk systemd[1]: Started MinIO. HOT 1
- Restore the file path in minio bucket to private access, but it does not take effect. HOT 14
- Access failed: 550 Directory change to bucketname HOT 5
- FTP/SFTP unable to upload properly HOT 10
- Add HostAliases parameter to values.yaml HOT 1
- About Minio deployment and the AGPLv3 license. HOT 2
- Support Tagging in PostPolicy upload functionality HOT 6
- Service gets regularly killed with status=11/SEGV HOT 2
- Glacier Tier Support with External S3 Storage HOT 2
- Random and Unpredictable Upload spikes when uploading data to minio bucket from Spring Boot Application HOT 1
- Environment Variables in Docker Compose for MinIO don't seem to work.
- Unable to Initialize OpenID with Self-Signed Certificate in MinIO HOT 4
- Minio FTP service failed to upload large files starting from RELEASE.2024-04-28T17-53-50Z version HOT 3
- Docker metrics to Prometheus always report as server: 127.0.0.1:9000 instead of MINIO_SERVER_URL HOT 9
- Feat: Differentiate Between Access Keys and User Accounts in IAM Policies
- Console and mc admin info drivers count is error HOT 2
- s3.PutObject on single transaction failed for large file HOT 9
- A bug after hot-unplugging a hard disk
- A bug after hot-unplugging a hard disk HOT 8
- It appears that Minio deviates from the way AWS S3 signs range requests: SignatureDoesNotMatch if a range header is included in the signature HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from minio.