Skip to content

Set up

An admin user should be used for these steps.

Steps

  1. Create the bucket for the secret backend minio-manager-secrets

    mc mb $ALIAS/minio-manager-secrets

  2. Create a user (either in MinIO or your identity provider)

    You can use mc admin user add $ALIAS minio-manager for a MinIO user

  3. Create a policy that gives read/write access to the bucket for the secret backend

    You can use the example provided in the examples directory:

    mc admin policy create $ALIAS minio-manager examples/minio-manager-secrets-policy.json

  4. Attach the policy to the user:

  5. For MinIO: mc admin policy attach $ALIAS minio-manager --user=minio-manager

  6. For LDAP: mc idp ldap policy attach $ALIAS minio-manager --user='uid=minio-manager,cn=users,dc=your,dc=domain'

  7. Upload your secret backend (e.g. secrets.kdbx) to the bucket root

  8. Create a MinIO service account/access key with either option:

  9. mc admin user svcacct add $ALIAS minio-manager and note down the access and secret keys

  10. Copy .env.example to .env and set the following variables to the obtained keys

  11. MINIO_MANAGER_SECRET_BACKEND_S3_ACCESS_KEY

  12. MINIO_MANAGER_SECRET_BACKEND_S3_SECRET_KEY

  13. Configure the other variables in the .env file. Descriptions of each variable can be found in the Environment variables section

  14. Each "bucket group" manager user must get its own policy.

  15. You can find an example in examples/bucket-group-user-policy.json
  16. mc admin policy create $ALIAS infra-test-manager examples/bucket-group-user-policy.json
  17. mc idp ldap policy attach $ALIAS infra-test-manager --user='uid=infra-test-manager,cn=users,dc=your,dc=domain'
  18. You can then log in to the web console with this user to create an access key exactly like how we did it previously

MinIO

At least two users are required in MinIO. One with access to a single bucket containing the secret backend, all other users are to be used as "bucket group" managers. For each bucket created under this manager user a service account (or access key in S3/MinIO terms) will be created.

Secret manager

This is the controller user, that is able to authenticate to the secret backend, in order to retrieve the credentials to the service accounts

Secret backend

We store our Keepass database inside a MinIO bucket. You can specify the name of this bucket by using the MINIO_MANAGER_SECRET_BACKEND_S3_BUCKET variable. The credentials for this bucket In addition, you have to specify the password of this database with MINIO_MANAGER_SECRET_BACKEND_S3_SECRET_KEY, so that the controller user specified in MINIO_MANAGER_SECRET_BACKEND_S3_ACCESS_KEY can access it.

We strongly suggest to pass these variables via masked and/or protected variables.

Service Accounts

Also see Service Account Details.

Keepass

  • The Keepass database's root group must be named "Passwords".
  • You must have a group called "s3" and subgroups with the name of the MinIO cluster to be managed.
  • Entry names must be unique.
  • Entries are found by way of the title of the entry, the username is not considered when searching.

Configuration variables

See Configuration environment variables