If what you believe doesn't exist, please send a pull request. We are happy to accept sensible contributions.

Thanks for your feedback, @harshavardhana. I have created a feature request.

Please feel free to close this discussion once you have validated that, indeed, this would be a new feature.

Unfortunately, I can't seem to make the following work:

# export MC_HOST_myalias="https://<ACCESSKEY>:<SECRETKEY>@minio1.domain.com:9000"
# mcli admin info myalias
mcli: <ERROR> Unable to get service status. Access Denied.

For reference, my list of aliases:

# mcli alias list
[..]
minio1
  URL       : https://minio1.domain.com:9000
  AccessKey : minio
  SecretKey : <password>
  API       : s3v4
  Path      : auto
[..]

What am I doing wrong?

References:

• https://min.io/docs/minio/linux/reference/minio-mc.html#test-the-connection
• https://min.io/docs/minio/linux/reference/minio-mc/minio-client-settings.html

Further testing led me to notice that I can run a mcli ls command but not a mcli admin info command:

# mcli alias set myalias https://minio1.domain.com:9000 myaccesskey SECRETKEY
Added `myalias` successfully.
root@minio1:~# mcli ls myalias
[2022-11-17 15:15:08 UTC]     0B myaccesskey-media/
[2023-09-13 10:38:06 UTC]     0B myaccesskey-static/
root@minio1:~# mcli admin info myalias
mcli: <ERROR> Unable to get service status. Access Denied.

As I explained before, I had never attempted the mcli admin info command with a service account, only with a user. Am I missing some permission? This is the access policy of the service account myaccesskey:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:*"
   ],
   "Resource": [
    "arn:aws:s3:::myaccesskey-media/*",
    "arn:aws:s3:::myaccesskey-static/*"
   ]
  }
 ]
}

Thanks.

I presume the missing permission has to be this one: admin:ServerInfo. Correct?

If so, I would have to modify all existing service accounts (access keys) and include such permission in their policy, correct? Then I would be able to use mc admin info to check whether a service account can authenticate with a set of credentials...

I have tried adding the following bit to the policy of the service account I am setting the alias with:

  {
   "Effect": "Allow",
   "Action": [
    "admin:ServerInfo"
   ],
   "Resource": [
    "arn:aws:s3:::*"
   ]
  }

But I am still unable to athenticate my service account to check its credentials:

# mcli alias set myalias https://minio1.domain.com:9000 mysvcacct super-secret-password
Added `myalias` successfully.

# mcli alias list
myalias  
  URL       : https://minio1.domain.com:9000
  AccessKey : mysvcacct
  SecretKey : super-secret-password
  API       : s3v4
  Path      : auto

root@minio1:~# mcli admin info myalias
mcli: <ERROR> Unable to get service status. Access Denied.

Any hints, please? 🙏

Okay, so I think I found the reason why it was not working: the service account I was setting the alias with belongs to a user.

I found out because I went to the MinIO Web Console and created a new service account from scratch (no parent user), and I added the following policy to it:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "admin:ServerInfo"
   ]
  }
 ]
}

Then I followed the same procedure described in previous comments (i.e., setting the alias, then running the mcli amdin info myalias command) and it worked.

So I went to the parent user I was talking about and added the diagnostics policy to it, just to do a quick check, and it worked.

Thus my question would be, is it fine to have permissions such as that to the parent user? Am I compromising the system somehow when the service accounts used in the websites have access to admin:ServerInfo though its parent user?