Min.io dynamic policy for bucket subpath

I have a Min.io instance correctly configured and running in a docker container environment. It is fully integrated with an external OpenID provider (a Keycloak container) to manage SSO logins and registrations.

The Min.io instance has two separate buckets with the following structure:

- bucket "bucket1"
  - folder "function3"
  - folder "users"
      - folder "user1"
      - folder "user2"
- bucket "bucket2"
  - folder "function1"
  - folder "function2"

I want to implement a new policy to control access to the buckets, specifically:

Every user can only read the contents of bucket bucket2
Every user, denoted as $user, can read and write on the bucket1/function3/users/$user and eventually just read everywhere else (e.g. user1 can read and write on bucket1/function3/users/user1 but cannot write -possibly also cannot read but it's not required- on bucket1/function3/users/user2)

So far, I've tried the following approach

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bucket1"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::bucket1/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::bucket1/function3/users/${aws:username}/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::bucket2/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bucket2"
    }
  ]
}

but it doesn't fully fit. Infact:

Every user can correctly only read the contents of bucket bucket2 ✅
The specific user (e.g. user1) cannot even read bucket1 or its content (included the subfolder bucket1/function3/users/user1) ❌

As a temporary workaround solution, I’ve created a dedicated policy rule for each user to grant access to the necessary subpath statically. Is there a way to create a single dynamic policy that can apply to all users for this purpose?

Solution

It understands that the problem was on the parameter ${aws:username} . Infact this parameter is referring to the supported S3 policy keys (see the Min.io documentation for further details).

Since the solution here is including an external OpenID connection (e.g. KeyCloak) we should use one of the supported policy variables for use in authorizing OIDC-managed users. The list of supported variable can be find here.

Finally, the working solution is obtained substituting the parameter ${aws:username} with the parameter ${jwt:preferred_username} (the field inside the token that Min.io could read from KeyCloak). The right policy is the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bucket1"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::bucket1/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::bucket1/function3/users/${jwt:preferred_username}/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::bucket2/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::bucket2"
    }
  ]
}