Policy

• Policy Generator
• Default policy for testing(root like)
• Add policy to server
• Assign policy to user

Policy Generator

AWS policy generator

Default policy for testing(root like)

Do

Create policy consoleAdmin.json

{
    "Version": "2012-10-17",
    "Statement": [{
            "Action": [
                "admin:*"
            ],
            "Effect": "Allow",
            "Sid": ""
        },
        {
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ],
            "Sid": ""
        }
    ]
}

Add policy to server

mc admin policy set [server_alias] [policy__name] [relative_path_to_policy_file]

Example

mc admin policy add local consoleAdmin consoleAdmin.json

Assign policy to user

mc admin policy set [server_alias] [policy_name] user=[username]

Example

mc admin policy set local consoleAdmmin user=console_user

Note

Additionally, you can create policies to limit the privileges for console users, for example, if you want the user to only have access to dashboard, buckets, notifications and watch page, the policy should look like this:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Action": [
                "admin:ServerInfo"
            ],
            "Effect": "Allow",
            "Sid": ""
        },
        {
            "Action": [
                "s3:ListenBucketNotification",
                "s3:PutBucketNotification",
                "s3:GetBucketNotification",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucket",
                "s3:HeadBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:DeleteBucket",
                "s3:PutBucketPolicy",
                "s3:DeleteBucketPolicy",
                "s3:GetBucketPolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ],
            "Sid": ""
        }
    ]
}