Access MinIO with EGI Check-in Virtual Organisations
Overview
This tutorial describes how to configure access to MinIO console using EGI Check-in as external OpenID Connect Identity Provider.
Prerequisites
Be familiar with the steps to configure an OpenID Connect Service Provider with EGI Check-in.
This tutorial assumes that:
- You have a valid EGI ID (account), you can sign up here.
- You are a member of a Virtual Organisation.
- You have deployed MinIO and have access to the console as
admin.
Step 1: Get the OIDC entitlement for the Virtual Organisation
See the
page about getting tokens from Check-in.
You will get a curl command to get your OIDC entitlements.
Select the entitlement for the Virtual Organisation that you want to
enable access to. For example, here is the entitlement for the
vo.access.egi.eu Virtual Organisation:
urn:mace:egi.eu:group:vo.access.egi.eu:role=member#aai.egi.eu
Step 2: Configure a new policy in MinIO console
Go to https://<minio-console-endpoint>/identity/policies and create a
new policy, where:
- The name of the policy is the OIDC entitlement obtained in Step 1.
- The policy is configured with the value below:
{
"Version": "2023-02-20",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::${jwt:preferred_username}-*"
]
}
]
}
Note
Pay attention to the use of:
${jwt:preferred_username}*
in the Amazon Resource Name string:
arn:aws:s3:::${jwt:preferred_username}*
This will allow every user full control of their own buckets under
s3://preferred_username- prefix, and restrict access to other users’ buckets.
See the official MinIO documentation for more details.
Step 3: Configure EGI Check-in as external OpenID Connect Identity Provider
Step 3.1: Add service to EGI Federation Registry
Follow the steps to configure an OpenID Connect Service Provider with EGI Check-in.
Apart from selecting OIDC Service as the protocol when adding this service
to the EGI Federation Registry, you should
use the below as the Redirect URI:
https://<minio-console-endpoint>/oauth_callback
Step 3.2: Configure MinIO console
Now configure EGI Check-in as external OpenID Connect Identity Provider for MinIO.
Go to https://<minio-console-endpoint>/settings/configurations/identity_openid
and set the following values
- Config URL: get
Provider configurationvalue in the docs. - Client ID: get value from Step 3.1 above.
- Secret ID: get value from Step 3.1 above.
- Claim Name:
eduperson_entitlement - Claim UserInfo:
ON - Redirect URI:
https://<minio-console-endpoint>/oauth_callback - Scopes:
eduperson_entitlement,profile
Next you need to restart MinIO for the changes to take effect.
Step 4: Access MinIO console with Check-in
All going well, when you restart MinIO and go back to the console endpoint
you should see Login with SSO login button.
Please note that you will only be able to create buckets with the
<preferred_username>- prefix. preferred_username is an
OIDC claim
whose value can be obtained using the same curl command as the one in Step 1
above. For example, user John Doe will have a preferred_username similar to
jdoe. With the configuration detailed on this tutorial, he will be able to
create buckets with the following names:
s3://johndoe-private-buckets3://johndoe-public-bucket- etc.
Step 5: Command-line interface
Although the MinIO web interface allows you to manage buckets, advanced
users may want to use the command-line interface. MinIO comes with its own
client,
but it also works with S3-compatible tools. Go to the web interface and
create access and secret keys that you can use from the CLI.
https://<minio-console-endpoint>/access-keys
Known issues
Below is the list known issues when working with this setup.
Warning
When using the web console via Check-in, often you get this error message:
The Access Key Id you provided does not exist in our records.
and suddenly you are not able to see your buckets or access keys.
Simply log out and log back in and the issue disappears.