Configuration¶
Also see the usage documentation.
Environment variables¶
Required variables without a default value must be manually configured.
| Variable | Description | Required | Default |
|---|---|---|---|
MINIO_MANAGER_CLUSTER_NAME |
The name of the cluster, used to query the secret backend | Yes | |
MINIO_MANAGER_S3_ENDPOINT¹ |
What host:port to use as MinIO/S3 endpoint | Yes | |
MINIO_MANAGER_S3_ENDPOINT_SECURE |
Whether to use HTTPS for the endpoint | Yes | True |
MINIO_MANAGER_MINIO_CONTROLLER_USER |
The name of the entry in the secret backend for the controller user | Yes | |
MINIO_MANAGER_SECRET_BACKEND_TYPE² |
What secret backend to use | Yes | |
MINIO_MANAGER_SECRET_BACKEND_S3_BUCKET |
The name of the bucket where the secret backend is kept | Yes | minio-manager-secrets |
MINIO_MANAGER_SECRET_BACKEND_S3_ACCESS_KEY |
The access key to the S3 bucket where the secret database is stored | Yes | |
MINIO_MANAGER_SECRET_BACKEND_S3_SECRET_KEY |
The secret key to the S3 bucket where the secret database is stored | Yes | |
MINIO_MANAGER_KEEPASS_PASSWORD |
Keepass database password | With Keepass | |
MINIO_MANAGER_SECRET_BACKEND_PATH |
Path to the KeePass database in S3, or the local YAML secret backend for testing | Yes | secrets.kdbx |
MINIO_MANAGER_CLUSTER_RESOURCES_FILE |
The YAML file with the MinIO resource configuration (buckets, policies, etc.) | Yes | resources.yaml |
MINIO_MANAGER_LOG_LEVEL³ |
The log level of the application. | No | INFO |
MINIO_MANAGER_DEFAULT_BUCKET_VERSIONING |
Whether to globally enable (Enabled) or suspend (Suspended) bucket versioning |
Yes | Suspended |
MINIO_MANAGER_DEFAULT_LIFECYCLE_POLICY_FILE |
What lifecycle policy (in mc ilm export format) to attach to all buckets by default |
No | |
MINIO_MANAGER_AUTO_CREATE_SERVICE_ACCOUNT |
Whether to automatically create service accounts with a generated access policy | No | True |
MINIO_MANAGER_SERVICE_ACCOUNT_POLICY_BASE_FILE⁴ |
What policy to use as a base for a service account when automatically generated | No | service-account-policy-base.json |
MINIO_MANAGER_ALLOWED_BUCKET_PREFIXES |
Comma-separated list of prefixes of bucket names this controller user is allowed to manage | No | "" |
- Only specify the host and port as per the example
.env, withouthttps://or trailing slashes - Currently only Keepass is supported
- Possible values are
INFOorDEBUG - Defaults to
service-account-policy-base.json. MUST containBUCKET_NAME_REPLACE_MEin the resources to work
Examples¶
config.env¶
# Required
MINIO_MANAGER_CLUSTER_NAME=local-test
MINIO_MANAGER_S3_ENDPOINT="localhost:9000"
MINIO_MANAGER_MINIO_CONTROLLER_USER=local-test-controller
MINIO_MANAGER_SECRET_BACKEND_TYPE=yaml
MINIO_MANAGER_SECRET_BACKEND_S3_ACCESS_KEY=minioadmin
MINIO_MANAGER_SECRET_BACKEND_S3_SECRET_KEY="minioadmin"
# Required for KeePass and YAML secret backends
MINIO_MANAGER_SECRET_BACKEND_PATH="secrets-insecure.yaml"
# Required for KeePass
MINIO_MANAGER_KEEPASS_PASSWORD="very-secure-much-wow"
# Optional
MINIO_MANAGER_CLUSTER_RESOURCES_FILE=examples/my_group/resources.yaml
MINIO_MANAGER_S3_ENDPOINT_SECURE=False
MINIO_MANAGER_SECRET_BACKEND_S3_BUCKET=minio-manager-secrets
MINIO_MANAGER_LOG_LEVEL=DEBUG
MINIO_MANAGER_DEFAULT_BUCKET_VERSIONING=Enabled
MINIO_MANAGER_DEFAULT_LIFECYCLE_POLICY=examples/my_group/lifecycle_policies/my_lifecycle.json
MINIO_MANAGER_AUTO_CREATE_SERVICE_ACCOUNT=True
#MINIO_MANAGER_SERVICE_ACCOUNT_POLICY_BASE_FILE=examples/my_service_account_policy.json
MINIO_MANAGER_ALLOWED_BUCKET_PREFIXES=local-test-,local-dev-
Service account policy base file¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:*Object",
"s3:*ObjectTagging",
"s3:GetObjectVersion",
"s3:*ObjectVersionTagging",
"s3:*BucketNotification"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME_REPLACE_ME",
"arn:aws:s3:::BUCKET_NAME_REPLACE_ME/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:*Object"
],
"Resource": [
"arn:aws:s3:::access-always-needed",
"arn:aws:s3:::access-always-needed/*"
]
}
]
}