minio 一些配置策略

整理一些策略,方便使用

参考配置

  • 获取删除上传下载
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket>/*"
            ]
        }
    ]
}

方便数据分析使用的

比如dremio 查询s3的,同时配置了DeleteObject以及PutObject 方便数据维护操作

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                 "arn:aws:s3:::<bucket>/*"
            ]
        }
    ]
}

console 管理的

来自官方

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "admin:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

只读的

来自官方,当然对于resource 自己加工下就可以控制特定bucket 了

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

读写的

来自官方,当然对于resource 自己加工下就可以控制特定bucket 了

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

支持诊断的

来自官方

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "admin:ConsoleLog",
                "admin:OBDInfo",
                "admin:Profiling",
                "admin:Prometheus",
                "admin:ServerInfo",
                "admin:ServerTrace",
                "admin:TopLocksInfo",
                "admin:BandwidthMonitor"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

说明

以上是一些简单的策略,主要是一个记录,方便使用,iam 策略很多时候需要结合多种进行组合才能有自己期望的效果,可以看看官方文档了解提供的说明
joining组合配置

参考资料

https://docs.aws.amazon.com/iam/index.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html
https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/policy-based-access-control.html

posted on 2022-11-08 18:38  荣锋亮  阅读(638)  评论(0编辑  收藏  举报

导航