Access MinIO with EGI Check-in Virtual Organisations

Configure access to MinIO console with EGI Check-in Virtual Organisations.

Overview

This tutorial describes how to configure access to MinIO console using EGI Check-in as external OpenID Connect Identity Provider.

Prerequisites

Be familiar with the steps to configure an OpenID Connect Service Provider with EGI Check-in.

This tutorial assumes that:

  • You have a valid EGI ID (account), you can sign up here.
  • You are a member of a Virtual Organisation.
  • You have deployed MinIO and have access to the console as admin.

Step 1: Get the OIDC entitlement for the Virtual Organisation

See the page about getting tokens from Check-in. You will get a curl command to get your OIDC entitlements.

Select the entitlement for the Virtual Organisation that you want to enable access to. For example, here is the entitlement for the vo.access.egi.eu Virtual Organisation:

urn:mace:egi.eu:group:vo.access.egi.eu:role=member#aai.egi.eu

Step 2: Configure a new policy in MinIO console

Go to https://<minio-console-endpoint>/identity/policies and create a new policy, where:

  • The name of the policy is the OIDC entitlement obtained in Step 1.
  • The policy is configured with the value below:
{
    "Version": "2023-02-20",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::${jwt:preferred_username}-*"
            ]
        }
    ]
}

See the official MinIO documentation for more details.

Step 3: Configure EGI Check-in as external OpenID Connect Identity Provider

Step 3.1: Add service to EGI Federation Registry

Follow the steps to configure an OpenID Connect Service Provider with EGI Check-in.

Apart from selecting OIDC Service as the protocol when adding this service to the EGI Federation Registry, you should use the below as the Redirect URI:

https://<minio-console-endpoint>/oauth_callback

Step 3.2: Configure MinIO console

Now configure EGI Check-in as external OpenID Connect Identity Provider for MinIO.

Go to https://<minio-console-endpoint>/settings/configurations/identity_openid and set the following values

  1. Config URL: get Provider configuration value in the docs.
  2. Client ID: get value from Step 3.1 above.
  3. Secret ID: get value from Step 3.1 above.
  4. Claim Name: eduperson_entitlement
  5. Claim UserInfo: ON
  6. Redirect URI: https://<minio-console-endpoint>/oauth_callback
  7. Scopes: eduperson_entitlement,profile

Next you need to restart MinIO for the changes to take effect.

Step 4: Access MinIO console with Check-in

All going well, when you restart MinIO and go back to the console endpoint you should see Login with SSO login button.

Please note that you will only be able to create buckets with the <preferred_username>- prefix. preferred_username is an OIDC claim whose value can be obtained using the same curl command as the one in Step 1 above. For example, user John Doe will have a preferred_username similar to jdoe. With the configuration detailed on this tutorial, he will be able to create buckets with the following names:

  • s3://johndoe-private-bucket
  • s3://johndoe-public-bucket
  • etc.

Step 5: Command-line interface

Although the MinIO web interface allows you to manage buckets, advanced users may want to use the command-line interface. MinIO comes with its own client, but it also works with S3-compatible tools. Go to the web interface and create access and secret keys that you can use from the CLI.

https://<minio-console-endpoint>/access-keys

Known issues

Below is the list known issues when working with this setup.