I have a process P having access to accesskey/secretkey associated with a policy giving it full rights over a bucket B. E.g.
...
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/*"]
}
I want P to be able to schedule some other process W which should only be able to read and write to a subsection (directory) of that bucket. E.g.
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/workerW/*"]
}
Is there a way for P to request a different set of accesskey/secretkey associated with the restricted policy?
There are two options with MinIO - temporary credentials with STS or service accounts.
You can create temporary credentials with restricted policy by calling the STS API via the Go SDK or via the awscli tool (more info here).
Service accounts can also be used to create credentials with a restricted policy, however these credentials do not expire. Service accounts can be created conveniently using the mc admin user svcacct command in the MinIO Client tool. The management SDK is not expected to be as stable an interface as the mc tool itself.
Please know you can find us at https://slack.min.io/ 24/7/365. If you have commercial questions, please reach out to us on hello@min.io or on our Ask an Expert Chat functionality at https://min.io/pricing?action=talk-to-us.