minio-keycloak
Minion (S3) with Keycloak for authentication & authorization
Configure .env
Create a .env file with the following values:
KEYCLOAK_ADMIN_LOGIN= # Keycloak admin user
KEYCLOAK_ADMIN_PASSWORD= # Keycloak admin user password
MINIO_ROOT_USER= # Minio root user
MINIO_ROOT_PASSWORD= # Minio root user passwordadmin
MINIO_SERVER_URL=http://172.17.0.1:9000 # URL of Minio server
MINIO_BROWSER_REDIRECT_URL=http://172.17.0.1:9001 # URL of Minion console
MINIO_IDENTITY_OPENID_CONFIG_URL=https://172.17.0.1:8443/auth/realms/master/.well-known/openid-configuration # Keycloak URL
MINIO_IDENTITY_OPENID_CLIENT_ID=minio # Keycloak client
MINIO_IDENTITY_OPENID_CLIENT_SECRET= # Keycloak client secret from section above
Certificates
If you need plan to run this keycloak/minio setup on a remote machine, make sure to edit the following openssl
command in the setup_certs.sh
to generate certificates valid for this domain:
openssl x509 -req -extfile <(printf "subjectAltName=IP:127.0.0.1,IP:172.17.0.1,IP:HERE.YOUR.IP") -in certs/keycloak/keycloak.csr ...
Run the setup_certs.sh
script to generate Keycloak certificates
bash setup_certs.sh
Configure Keycloak Realm
Launch Keycloak (docker-compose up -d keycloak
) and go to admin console: localhost:8443
. Login with the credentitals from the .env.
-
Go to Clients
-
Click on create
- Put client ID:
minio
- Save
- Put client ID:
-
-
Go to Clients
- Click on
minio
- Settings
- Change
Access Type
toconfidential
. - Set
Service Accounts Enabled
toOn
- Set
Valid Redirect URIs
to*
- Expand
Advanced Settings
and setAccess Token Lifespan
to1 Hours
- Save
- Click on credentials tab
- Copy the
Secret
to clipboard. - This value is needed for
MINIO_IDENTITY_OPENID_CLIENT_SECRET
for MinIO.
- Copy the
- Click on
-
Go to Users
- Click on the user
- Attribute, add a new attribute
Key
ispolicy
,Value
is name of thepolicy
on MinIO (ex:readwrite
) - Add and Save
-
Go to Clients
- Click on
minio
- Mappers
- Create
Name
with any textMapper Type
isUser Attribute
User Attribute
ispolicy
Token Claim Name
ispolicy
Claim JSON Type
isstring
- Save
- Click on
-
Go to Clients
- Click on
minio
- Mappers
- Create
Name
with any textMapper Type
isAudience
Included Client Audience
issecurity-admin-console
- Save
- Click on
-
Go to Clients
- Click on
minio
- Service Accounts Roles
- Add
admin
to assigned roles
- Click on
-
Go to Roles
- Add new Role
admin
with Description${role_admin}
. - Add this Role into compositive role named
default-roles-master
. This role is automatically trusted in the 'Service Accounts' tab.
- Add new Role
-
Check that
minio
client_id has the role 'admin' assigned in the "Service Account Roles" tab.
Launch Minio
Launch Minio (docker-compose up -d
). Go to minio console home page: http://172.17.0.1:9001
. Click on Login with SSO
. You will be redirected to Keycloak to login. Once you login you will be redirected back to Minio.