# MinIO Keycloak Integration Guide Complete guide for integrating MinIO with Keycloak for SSO authentication. ## 🎯 Overview MinIO supports OpenID Connect (OIDC) authentication, allowing users to log in to MinIO Console using Keycloak credentials. This integration provides: - **Single Sign-On (SSO)** - Users authenticate once with Keycloak - **Centralized User Management** - Manage users in Keycloak - **Role-Based Access Control** - Map Keycloak roles to MinIO policies - **Secure Authentication** - OAuth 2.0 / OpenID Connect flow ## 📋 Prerequisites - Keycloak instance running and accessible - MinIO instance running - Admin access to both Keycloak and MinIO ## 🔧 Setup Steps ### **Step 1: Create MinIO Client in Keycloak** 1. **Login to Keycloak Admin Console** ``` https://ai.sriphat.com/keycloak ``` 2. **Select Realm** - Go to your realm (e.g., `sriphat`) 3. **Create Client** - Navigate to: **Clients** → **Create Client** - **Client ID**: `minio` - **Client Type**: `OpenID Connect` - **Client Protocol**: `openid-connect` - Click **Next** 4. **Capability Config** - **Client authentication**: `ON` - **Authorization**: `OFF` - **Authentication flow**: - ✅ Standard flow - ✅ Direct access grants - ❌ Implicit flow - ❌ Service accounts roles - Click **Next** 5. **Login Settings** - **Root URL**: `https://ai.sriphat.com/minio-console` - **Home URL**: `https://ai.sriphat.com/minio-console` - **Valid redirect URIs**: ``` https://ai.sriphat.com/minio-console/* https://ai.sriphat.com/minio-console/oauth_callback ``` - **Valid post logout redirect URIs**: `https://ai.sriphat.com/minio-console` - **Web origins**: `https://ai.sriphat.com` - Click **Save** 6. **Get Client Secret** - Go to **Credentials** tab - Copy the **Client Secret** - Save this for `.env` configuration ### **Step 2: Create Client Scope for MinIO Policy** 1. **Create Client Scope** - Navigate to: **Client Scopes** → **Create client scope** - **Name**: `minio-authorization` - **Type**: `Optional` - **Protocol**: `OpenID Connect` - **Display on consent screen**: `OFF` - Click **Save** 2. **Add Mapper for Policy Claim** - Go to **Mappers** tab - Click **Add mapper** → **By configuration** - Select **User Attribute** - **Name**: `minio-policy` - **User Attribute**: `minio_policy` - **Token Claim Name**: `policy` - **Claim JSON Type**: `String` - **Add to ID token**: `ON` - **Add to access token**: `ON` - **Add to userinfo**: `ON` - Click **Save** 3. **Assign Scope to MinIO Client** - Go to **Clients** → `minio` - Go to **Client scopes** tab - Click **Add client scope** - Select `minio-authorization` - Choose **Optional** - Click **Add** ### **Step 3: Create MinIO Policies in Keycloak** MinIO uses policies to control access. Common policies: - `consoleAdmin` - Full admin access - `readonly` - Read-only access - `readwrite` - Read and write access - `diagnostics` - Diagnostics access **Add Policy to Users:** 1. **Go to Users** - Navigate to: **Users** → Select user 2. **Add Attribute** - Go to **Attributes** tab - Click **Add attribute** - **Key**: `minio_policy` - **Value**: `consoleAdmin` (or other policy) - Click **Save** ### **Step 4: Configure MinIO Environment Variables** Update `07-minio/.env`: ```bash # Keycloak Integration MINIO_IDENTITY_OPENID_CONFIG_URL=https://ai.sriphat.com/keycloak/realms/sriphat/.well-known/openid-configuration MINIO_IDENTITY_OPENID_CLIENT_ID=minio MINIO_IDENTITY_OPENID_CLIENT_SECRET=your-client-secret-from-step-1 MINIO_IDENTITY_OPENID_CLAIM_NAME=policy MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio-authorization MINIO_IDENTITY_OPENID_REDIRECT_URI=https://ai.sriphat.com/minio-console/oauth_callback ``` ### **Step 5: Restart MinIO** ```bash cd 07-minio docker compose down docker compose up -d ``` ### **Step 6: Test Authentication** 1. **Access MinIO Console** ``` https://ai.sriphat.com/minio-console ``` 2. **Click "Login with SSO"** - You'll be redirected to Keycloak - Login with Keycloak credentials - After successful authentication, you'll be redirected back to MinIO Console ## 🔐 MinIO Policies ### **Default Policies** MinIO comes with built-in policies: | Policy | Description | |--------|-------------| | `consoleAdmin` | Full admin access to console and buckets | | `readonly` | Read-only access to buckets | | `readwrite` | Read and write access to buckets | | `diagnostics` | Access to diagnostics and monitoring | | `writeonly` | Write-only access (upload only) | ### **Custom Policies** Create custom policies in MinIO Console or via `mc` CLI: ```bash # Install mc (MinIO Client) wget https://dl.min.io/client/mc/release/linux-amd64/mc chmod +x mc sudo mv mc /usr/local/bin/ # Configure mc mc alias set myminio https://ai.sriphat.com/minio minioadmin minioadmin_secure_password_2026 # Create custom policy cat > custom-policy.json <