Configuration¶
Also see the usage documentation.
Environment variables¶
Required variables without a default value must be manually configured.
| Variable | Description | Required | Default |
|---|---|---|---|
MINIO_MANAGER_CLUSTER_NAME |
The name of the cluster, used to query the secret backend | Yes | |
MINIO_MANAGER_S3_ENDPOINT¹ |
What host:port to use as MinIO/S3 endpoint | Yes | |
MINIO_MANAGER_S3_ENDPOINT_SECURE |
Whether to use HTTPS for the endpoint | Yes | True |
MINIO_MANAGER_MINIO_CONTROLLER_USER |
The name of the entry in the secret backend for the controller user | Yes | |
MINIO_MANAGER_SECRET_BACKEND_TYPE² |
What secret backend to use | Yes | |
MINIO_MANAGER_SECRET_BACKEND_S3_BUCKET |
The name of the bucket where the secret backend is kept | Yes | minio-manager-secrets |
MINIO_MANAGER_SECRET_BACKEND_S3_ACCESS_KEY |
The access key to the S3 bucket where the secret database is stored | Yes | |
MINIO_MANAGER_SECRET_BACKEND_S3_SECRET_KEY |
The secret key to the S3 bucket where the secret database is stored | Yes | |
MINIO_MANAGER_KEEPASS_PASSWORD |
Keepass database password | With Keepass | |
MINIO_MANAGER_KEEPASS_FILENAME |
The name of the database file in the S3 bucket | Yes | secrets.kdbx |
MINIO_MANAGER_CLUSTER_RESOURCES_FILE |
The YAML file with the MinIO resource configuration (buckets, policies, etc.) | Yes | resources.yaml |
MINIO_MANAGER_LOG_LEVEL³ |
The log level of the application. | No | INFO |
MINIO_MANAGER_DEFAULT_BUCKET_VERSIONING |
Whether to globally enable (Enabled) or suspend (Suspended) bucket versioning |
Yes | Suspended |
MINIO_MANAGER_DEFAULT_LIFECYCLE_POLICY_FILE |
What lifecycle policy (in mc ilm export format) to attach to all buckets by default |
No | |
MINIO_MANAGER_AUTO_CREATE_SERVICE_ACCOUNT |
Whether to automatically create service accounts with a generated access policy | No | True |
MINIO_MANAGER_SERVICE_ACCOUNT_POLICY_BASE_FILE⁴ |
What policy to use as a base for a service account when automatically generated | No | service-account-policy-base.json |
MINIO_MANAGER_ALLOWED_BUCKET_PREFIXES |
Comma-separated list of prefixes of bucket names this controller user is allowed to manage | No | "" |
- Only specify the host and port as per the example
.env, withouthttps://or trailing slashes - Currently only Keepass is supported
- Possible values are
INFOorDEBUG - Defaults to
service-account-policy-base.json. MUST containBUCKET_NAME_REPLACE_MEin the resources to work
Examples¶
config.env¶
# Required
export MINIO_MANAGER_CLUSTER_NAME=local-test
export MINIO_MANAGER_S3_ENDPOINT=127.0.0.1:9000
export MINIO_MANAGER_MINIO_CONTROLLER_USER=minioadmin
export MINIO_MANAGER_SECRET_BACKEND_TYPE=keepass
export MINIO_MANAGER_SECRET_BACKEND_S3_ACCESS_KEY=minioadmin
export MINIO_MANAGER_SECRET_BACKEND_S3_SECRET_KEY="minioadmin"
# Required for Keepass
export MINIO_MANAGER_KEEPASS_PASSWORD="very-secure-much-wow"
# Optional
export MINIO_MANAGER_CLUSTER_RESOURCES_FILE=resources.yaml
export MINIO_MANAGER_S3_ENDPOINT_SECURE=False
export MINIO_MANAGER_SECRET_BACKEND_S3_BUCKET=minio-manager-secrets
export MINIO_MANAGER_KEEPASS_FILE=secrets.kdbx
export MINIO_MANAGER_LOG_LEVEL=INFO
export MINIO_MANAGER_DEFAULT_BUCKET_VERSIONING=Enabled
export MINIO_MANAGER_DEFAULT_LIFECYCLE_POLICY=lifecycle_policies/my_lifecycle.json
export MINIO_MANAGER_AUTO_CREATE_SERVICE_ACCOUNT=True
export MINIO_MANAGER_SERVICE_ACCOUNT_POLICY_BASE_FILE=my_service_account_policy.json
export MINIO_MANAGER_ALLOWED_BUCKET_PREFIXES=infra-test-,infra-dev-
Service account policy base file¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:*Object",
"s3:*ObjectTagging",
"s3:GetObjectVersion",
"s3:*ObjectVersionTagging",
"s3:*BucketNotification"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME_REPLACE_ME",
"arn:aws:s3:::BUCKET_NAME_REPLACE_ME/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:*Object"
],
"Resource": [
"arn:aws:s3:::access-always-needed",
"arn:aws:s3:::access-always-needed/*"
]
}
]
}