Minio STS

In this example, we will set up a MinIO Gateway S3 with STS (Security Token Service) using Docker Compose.

Prerequisites

• Docker
• Docker Compose

On desktop systems like Docker Desktop for Mac and Windows, Docker Compose is included as part of those desktop installs.

Services

MinIO Server - S3 Gateway

MinIO is a High Performance Object Storage released under Apache License v2.0. It is API compatible with Amazon S3 cloud storage service. Use MinIO to build high performance infrastructure for machine learning, analytics and application data workloads.

Etcd

etcd is a distributed key-value store designed to securely store data across a cluster. etcd is widely used in production on account of its reliability, fault-tolerance and ease of use.

Keycloak

Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.

Postgres - Keycloak Database

PostgreSQL is a powerful, open source object-relational database.

MinIO Console - Optional

A graphical user interface for MinIO.

Project setup

Environment variables

You need to set the following environment variables to use this Docker Compose.

.env

MINIO_ACCESS_KEY=minio
MINIO_SECRET_KEY=minio123
MINIO_ROOT_USER=YOUR-AWS-ACCESS-KEY
MINIO_ROOT_PASSWORD=YOUR-AWS-SECRET-KEY

Docker Compose up

To run all the required services, execute the following command:

docker-compose up

MinIO Console is an optional service. To run the stack with it, execute the following command:

docker-compose --profile console up

Keycloak configuration

You need to make some changes to the Keycloak Realm in order to use MinIO.

• Navigate to the Keycloak UI: http://localhost:8080/auth/.
• In the left menu, click on Clients.
  • Click on Edit for account client.
  • Turn on Implicit Flow Enabled.
  • Add "*" to the Valid Redirect URIs field.
  • Click on Save.
• Also in the account client, click on Mappers.
  • Click on Create.
  • Fill in the Name field with "policy".
  • Change the Mapper Type to "User Attribute".
  • Fill in the User Attribute field with "policy".
  • Fill in the Token Claim Name field with "policy".
  • Click on Save.
• In the left menu, click on Users.
  • Click on View all users.
  • Click on Edit for user "admin".
  • Go to Attributes tab.
  • Fill in the Key field with "policy" and Value field with "readwrite".
  • Click on Add and then Save.

Right now, you should be able to log in to MinIO using the policies that you created in Keycloak.

There's a lot more configuration that you can do. Please refer to the related links for more information.

Known issues

• As Keycloak takes a long time to start up, you may need to restart the MinIO container after Keycloak is ready.

Related Links

• MinIO | Learn how to deploy MinIO with Amazon S3
• MinIO | Learn how to configure MinIO for Security Token Service

---

Last update: October 5, 2022