9.0 KiB
MinIO Keycloak Integration Guide
Complete guide for integrating MinIO with Keycloak for SSO authentication.
🎯 Overview
MinIO supports OpenID Connect (OIDC) authentication, allowing users to log in to MinIO Console using Keycloak credentials. This integration provides:
- Single Sign-On (SSO) - Users authenticate once with Keycloak
- Centralized User Management - Manage users in Keycloak
- Role-Based Access Control - Map Keycloak roles to MinIO policies
- Secure Authentication - OAuth 2.0 / OpenID Connect flow
📋 Prerequisites
- Keycloak instance running and accessible
- MinIO instance running
- Admin access to both Keycloak and MinIO
🔧 Setup Steps
Step 1: Create MinIO Client in Keycloak
-
Login to Keycloak Admin Console
https://ai.sriphat.com/keycloak -
Select Realm
- Go to your realm (e.g.,
sriphat)
- Go to your realm (e.g.,
-
Create Client
- Navigate to: Clients → Create Client
- Client ID:
minio - Client Type:
OpenID Connect - Client Protocol:
openid-connect - Click Next
-
Capability Config
- Client authentication:
ON - Authorization:
OFF - Authentication flow:
- ✅ Standard flow
- ✅ Direct access grants
- ❌ Implicit flow
- ❌ Service accounts roles
- Click Next
- Client authentication:
-
Login Settings
- Root URL:
https://ai.sriphat.com/minio-console - Home URL:
https://ai.sriphat.com/minio-console - Valid redirect URIs:
https://ai.sriphat.com/minio-console/* https://ai.sriphat.com/minio-console/oauth_callback - Valid post logout redirect URIs:
https://ai.sriphat.com/minio-console - Web origins:
https://ai.sriphat.com - Click Save
- Root URL:
-
Get Client Secret
- Go to Credentials tab
- Copy the Client Secret
- Save this for
.envconfiguration
Step 2: Create Client Scope for MinIO Policy
-
Create Client Scope
- Navigate to: Client Scopes → Create client scope
- Name:
minio-authorization - Type:
Optional - Protocol:
OpenID Connect - Display on consent screen:
OFF - Click Save
-
Add Mapper for Policy Claim
- Go to Mappers tab
- Click Add mapper → By configuration
- Select User Attribute
- Name:
minio-policy - User Attribute:
minio_policy - Token Claim Name:
policy - Claim JSON Type:
String - Add to ID token:
ON - Add to access token:
ON - Add to userinfo:
ON - Click Save
-
Assign Scope to MinIO Client
- Go to Clients →
minio - Go to Client scopes tab
- Click Add client scope
- Select
minio-authorization - Choose Optional
- Click Add
- Go to Clients →
Step 3: Create MinIO Policies in Keycloak
MinIO uses policies to control access. Common policies:
consoleAdmin- Full admin accessreadonly- Read-only accessreadwrite- Read and write accessdiagnostics- Diagnostics access
Add Policy to Users:
-
Go to Users
- Navigate to: Users → Select user
-
Add Attribute
- Go to Attributes tab
- Click Add attribute
- Key:
minio_policy - Value:
consoleAdmin(or other policy) - Click Save
Step 4: Configure MinIO Environment Variables
Update 07-minio/.env:
# Keycloak Integration
MINIO_IDENTITY_OPENID_CONFIG_URL=https://ai.sriphat.com/keycloak/realms/sriphat/.well-known/openid-configuration
MINIO_IDENTITY_OPENID_CLIENT_ID=minio
MINIO_IDENTITY_OPENID_CLIENT_SECRET=your-client-secret-from-step-1
MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio-authorization
MINIO_IDENTITY_OPENID_REDIRECT_URI=https://ai.sriphat.com/minio-console/oauth_callback
Step 5: Restart MinIO
cd 07-minio
docker compose down
docker compose up -d
Step 6: Test Authentication
-
Access MinIO Console
https://ai.sriphat.com/minio-console -
Click "Login with SSO"
- You'll be redirected to Keycloak
- Login with Keycloak credentials
- After successful authentication, you'll be redirected back to MinIO Console
🔐 MinIO Policies
Default Policies
MinIO comes with built-in policies:
| Policy | Description |
|---|---|
consoleAdmin |
Full admin access to console and buckets |
readonly |
Read-only access to buckets |
readwrite |
Read and write access to buckets |
diagnostics |
Access to diagnostics and monitoring |
writeonly |
Write-only access (upload only) |
Custom Policies
Create custom policies in MinIO Console or via mc CLI:
# Install mc (MinIO Client)
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
sudo mv mc /usr/local/bin/
# Configure mc
mc alias set myminio https://ai.sriphat.com/minio minioadmin minioadmin_secure_password_2026
# Create custom policy
cat > custom-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
EOF
# Add policy to MinIO
mc admin policy create myminio custom-policy custom-policy.json
🔄 Policy Mapping Flow
User logs in with Keycloak
↓
Keycloak returns ID token with 'policy' claim
↓
MinIO reads 'policy' claim value (e.g., "consoleAdmin")
↓
MinIO applies corresponding policy to user session
↓
User has permissions defined by the policy
🎯 Role-Based Access Example
Scenario: Different User Roles
Admin Users:
Keycloak User Attribute:
minio_policy: consoleAdmin
Data Scientists:
Keycloak User Attribute:
minio_policy: readwrite
Analysts:
Keycloak User Attribute:
minio_policy: readonly
🐛 Troubleshooting
Issue: "Login with SSO" button not showing
Check:
# Verify environment variables
docker exec minio printenv | grep MINIO_IDENTITY_OPENID
# Check MinIO logs
docker logs minio
Solution:
- Ensure all
MINIO_IDENTITY_OPENID_*variables are set - Restart MinIO container
Issue: Redirect loop after login
Check:
MINIO_BROWSER_REDIRECT_URLmatches Keycloak redirect URI- Valid redirect URIs in Keycloak client include
/oauth_callback
Solution:
# Update .env
MINIO_BROWSER_REDIRECT_URL=https://ai.sriphat.com/minio-console
MINIO_IDENTITY_OPENID_REDIRECT_URI=https://ai.sriphat.com/minio-console/oauth_callback
Issue: User has no permissions after login
Check:
- User has
minio_policyattribute in Keycloak - Policy name matches MinIO policy exactly (case-sensitive)
Solution:
# Verify user attribute in Keycloak
# Add minio_policy attribute with value: consoleAdmin
Issue: Cannot access Keycloak config URL
Check:
# Test from MinIO container
docker exec minio curl -k https://ai.sriphat.com/keycloak/realms/sriphat/.well-known/openid-configuration
Solution:
- Ensure MinIO container can reach Keycloak
- Check network connectivity
- Verify Keycloak realm name is correct
📊 Monitoring
Check OpenID Configuration
# View current OpenID config
docker exec minio mc admin config get myminio identity_openid
View Active Sessions
# List active user sessions
docker exec minio mc admin user list myminio
Audit Logs
# Enable audit logging
docker exec minio mc admin config set myminio audit_webhook:1 endpoint="http://your-webhook-endpoint"
# View logs
docker logs minio -f
🔒 Security Best Practices
-
Use HTTPS Only
- Always use HTTPS for MinIO and Keycloak
- Configure SSL certificates properly
-
Rotate Client Secrets
- Periodically rotate Keycloak client secrets
- Update MinIO configuration after rotation
-
Least Privilege Principle
- Assign minimal required policies to users
- Use custom policies for specific use cases
-
Monitor Access
- Enable audit logging
- Review access logs regularly
-
Secure Network
- Use firewall rules to restrict access
- Consider VPN for sensitive data
📚 References
🎉 Summary
After completing these steps:
- ✅ MinIO integrated with Keycloak SSO
- ✅ Users can login with Keycloak credentials
- ✅ Role-based access control configured
- ✅ Centralized user management in Keycloak
- ✅ Secure HTTPS access via Nginx reverse proxy
Access MinIO Console:
https://ai.sriphat.com/minio-console
Login with SSO → Keycloak authentication → MinIO Console access! 🚀