Create service account for user in tenant #1358
Comments
|
could you elaborate? we can create users when the tenant is created initially, so not sure I follow where do you need the SA's |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions. |
|
Once the tenant is created, a user may open the minio console in the browser. Could you explain more about what you are suggesting? |
|
I means could we create |
|
Access keys are linked to users. If the tenant were to be directly linked to an access key then we would have to use the admin credentials. This is currently possible using the Tenant Console UI path User > Access Key > Create access key - after the tenant has been created. Is this functionality what you wish to be part of the tenant CRD? If so, we will discuss internally. Feel free to expand on your previous comment. |
|
I came across this issue while looking for a way to replicate the 'create user' and 'create service account' functionality of the vanilla helm chart in the tenant chart. Our use case is that we have many apps which use Minio, nearly all have differing ways of configuring it though. To make our lives easier, we switched from using each apps built-in Minio deployment method to the operator + tenant charts. This allows us to have a standardized way to create all our Minio tenants. Each tenant receives an admin user by default, but we would also like to create additional users and service-accounts within some of the tenants for security purposes. We would like to do this via a declarative setup using helm and avoid manually using This was possible in the vanilla chart like so: ## List of users to be created after minio install
##
users:
## Username, password and policy to be assigned to the user
## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management
## NOTE: this will fail if LDAP is enabled in your MinIO deployment
## make sure to disable this if you are using LDAP.
- accessKey: console
secretKey: console123
policy: consoleAdmin
# Or you can refer to specific secret
#- accessKey: externalSecret
# existingSecret: my-secret
# existingSecretKey: password
# policy: readonly
## List of service accounts to be created after minio install
##
svcaccts: []
## accessKey, secretKey and parent user to be assigned to the service accounts
## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts
# - accessKey: console-svcacct
# secretKey: console123
# user: console
## Or you can refer to specific secret
# - accessKey: externalSecret
# existingSecret: my-secret
# existingSecretKey: password
# user: console
## You also can pass custom policy
# - accessKey: console-svcacct
# secretKey: console123
# user: console
# policy:
# statements:
# - resources:
# - 'arn:aws:s3:::example*/*'
# actions:
# - "s3:AbortMultipartUpload"
# - "s3:GetObject"
# - "s3:DeleteObject"
# - "s3:PutObject"
# - "s3:ListMultipartUploadParts"
Perhaps I am just missing some context, but it does not seem like the option to create these additional users + service-acounts exists within the new tenant chart at all. Any help would be appreciated - Cheers! |
|
This is currently being worked onWe are working on a declarative approach to minio configuration through custom resources. We will update when there is something to announce. |
|
Duplicate of #1100 |
Is your feature request related to a problem? Please describe.
As describe in minio document:
Tenant can not create service account for a user.
Describe the solution you'd like
Add field in tenant for create service account for a user.
The text was updated successfully, but these errors were encountered: