minio/minio
External identity and SSO
MinIO IAM is fed by three kinds of identity sources: the local IAM store, an LDAP directory, and one or more OpenID Connect providers. This page summarises how a request from "alice@example.com" turns into an authorised S3 call.
The flow
sequenceDiagram
participant U as User
participant IDP as External IDP
participant STS as MinIO STS
participant IAM as MinIO IAM
participant H as S3 handler
U->>IDP: Login (LDAP bind / OIDC redirect / mTLS handshake)
IDP-->>U: Token / cert
U->>STS: AssumeRoleWith*
STS->>IDP: Validate token / cert
STS->>IAM: Map identity → policy
STS-->>U: Temporary credentials (AK/SK/Session token)
U->>H: Signed S3 request
H->>IAM: Resolve session policy
IAM-->>H: Allow / Deny
H-->>U: ResultThe STS endpoints live in cmd/sts-handlers.go; the per-IDP validators live under internal/config/identity/.
LDAP
internal/config/identity/ldap/ does:
- A bind to a configured LDAP server using a search-bind or simple-bind flow.
- A user attribute lookup (typically
uidoruserPrincipalName). - A group lookup that maps memberships to MinIO policy names.
AssumeRoleWithLDAPIdentity is the STS endpoint that wraps it. Sample env vars: MINIO_IDENTITY_LDAP_SERVER_ADDR, MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER, MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER.
The console can also log a user in via LDAP and persist a console JWT (see cmd/jwt.go).
OpenID Connect
internal/config/identity/openid/ supports any OIDC provider (Auth0, Okta, Keycloak, AzureAD, Cognito, ...). It does:
- Discovery via the issuer URL.
- ID-token validation (signature, audience, expiry).
- Claim → policy mapping. The default claim is
policy; can be overridden. - Multiple providers configured at once with distinct prefixes.
AssumeRoleWithWebIdentity is the STS endpoint.
Certificate / mTLS
internal/config/identity/tls/ accepts client certificates issued by configured CAs and turns them into STS credentials. Used in zero-trust deployments where workloads already have SPIFFE-style identities.
AssumeRoleWithCertificate is the STS endpoint.
Plugin
internal/config/identity/plugin/ lets an operator wire in an HTTP webhook that authenticates a custom token. The webhook returns a policy name; MinIO issues STS credentials. Useful for proprietary auth schemes.
AssumeRoleWithCustomToken is the STS endpoint.
Local IAM
For users created via mc admin user add, the path is simpler:
cmd/auth-handler.govalidates the SigV4 signature using the secret key fromcmd/iam-store.go.- The user's effective policy is the union of attached policies + group policies.
- Service accounts add an inline policy that further restricts the parent.
Policy
pkg/v3/policy (out of tree) is the IAM-policy AST. cmd/iam.go.IsAllowed walks the AST against the request's Args.
Bucket policies (cmd/bucket-policy.go) layer on top: they grant access to a bucket from any account; the AND of bucket policy and IAM policy must allow the action.
Configuration
| Subsystem | Config dir | Sample env var |
|---|---|---|
| LDAP | internal/config/identity/ldap/ |
MINIO_IDENTITY_LDAP_SERVER_ADDR |
| OpenID | internal/config/identity/openid/ |
MINIO_IDENTITY_OPENID_CONFIG_URL |
| mTLS | internal/config/identity/tls/ |
MINIO_IDENTITY_TLS_CERT_DIR |
| Plugin | internal/config/identity/plugin/ |
MINIO_IDENTITY_PLUGIN_URL |
Test entry points
make test-iam— Go testsTestIAM*cover LDAP/OIDC mapping with etcd backends.make test-iam-import-with-openid— config import with OpenID.make test-site-replication-{ldap,oidc,minio}— multi-site IAM consistency.
Where to start reading
cmd/sts-handlers.gocmd/iam.go,cmd/iam-store.gointernal/config/identity/<x>/cmd/admin-handlers-idp-{ldap,openid,config}.go
See IAM and STS for the runtime view.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.