{"id":17494297,"url":"https://github.com/lkubb/vault-plugin-database-minio","last_synced_at":"2025-03-28T17:42:14.464Z","repository":{"id":161472117,"uuid":"636144186","full_name":"lkubb/vault-plugin-database-minio","owner":"lkubb","description":"Vault database plugin which provides short-lived authorizations for MinIO","archived":false,"fork":false,"pushed_at":"2024-05-26T22:12:19.000Z","size":83,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-02T18:19:00.204Z","etag":null,"topics":["devops","minio","s3","vault","vault-plugins"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lkubb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-04T08:08:05.000Z","updated_at":"2024-11-25T15:02:29.000Z","dependencies_parsed_at":null,"dependency_job_id":"a81671f7-50b9-4704-ad7a-b93d0e516898","html_url":"https://github.com/lkubb/vault-plugin-database-minio","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lkubb%2Fvault-plugin-database-minio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lkubb%2Fvault-plugin-database-minio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lkubb%2Fvault-plugin-database-minio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lkubb%2Fvault-plugin-database-minio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lkubb","download_url":"https://codeload.github.com/lkubb/vault-plugin-database-minio/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246071704,"owners_count":20719171,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","minio","s3","vault","vault-plugins"],"created_at":"2024-10-19T13:06:05.756Z","updated_at":"2025-03-28T17:42:14.441Z","avatar_url":"https://github.com/lkubb.png","language":"Go","readme":"# MinIO Vault Database Plugin\nThis plugin allows Vault to manage MinIO authentication and authorization.\n\n## Prerequisites\n### MinIO\nAfter initialization, you will need to create a policy and dedicated user account for Vault.\n\nThe policy should look like this:\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"admin:CreateUser\",\n                \"admin:ListGroups\",\n                \"admin:EnableUser\",\n                \"admin:GetPolicy\",\n                \"admin:GetUser\",\n                \"admin:RemoveUserFromGroup\",\n                \"admin:ServerInfo\",\n                \"admin:CreatePolicy\",\n                \"admin:DisableGroup\",\n                \"admin:EnableGroup\",\n                \"admin:DisableUser\",\n                \"admin:ListUserPolicies\",\n                \"admin:DeleteUser\",\n                \"admin:GetGroup\",\n                \"admin:ListUsers\",\n                \"admin:AddUserToGroup\",\n                \"admin:AttachUserOrGroupPolicy\",\n                \"admin:DeletePolicy\"\n            ]\n        }\n    ]\n}\n```\n\nProceed with creating the Vault user and assign it this policy.\n\n### Vault\nFirst, ensure your Vault configuration defines `plugin_directory` and `api_address` correctly (the latter is used for inter-process communication, consider TLS certificates!).\n\nCurrently, there are no binary releases, hence you will need to compile this plugin, e.g.:\n\n```bash\ngo build ./cmd/minio-database-plugin\n# or gox -osarch=\"linux/amd64\" ./cmd/minio-database-plugin\n```\n\nThen move the plugin into `plugin_directory`, ensure correct ownership/permissions and register it:\n\n```bash\nvault plugin register -sha256=${BINARY_SHA_SUM} minio-database-plugin\n```\n\n## Configuration\n### Connection\n* `host`: FQDN/IP address of the MinIO API. **Required.**\n* `port`: The port the MinIO API server is listening on (int). Defaults to `9000`.\n* `username`: The name of the dedicated Vault user. **Required.**\n* `password`: The initial password of the dedicated Vault user. **Required.**\n* `tls`: Whether to enable TLS. Defaults to `false`.\n* `insecure_tls`: Whether to skip verifying server certificates. Defaults to `false`.\n* `tls_server_name`: Specifies the name to use as the SNI host when connecting to the MinIO server via TLS.\n* `tls_min_version`: Minimum acceptable TLS version (string). Defaults to `1.2`\n* `pem_bundle`: Specifies concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. Only one of `pem_bundle` or `pem_json` can be specified.\n* `pem_json`: Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. The value in this field must be an encoded JSON object. For convenience, the format is the same as the output of the `issue` command from the `pki` secrets engine; see the [pki documentation](https://developer.hashicorp.com/vault/docs/secrets/pki). Only one of `pem_bundle` or `pem_json` can be specified.\n* `connect_timeout`: Timeout for HTTP connections. Defaults to `5s`.\n\n### Role\nA role's `creation_statements` define which permissions the issued user will carry and, optionally, which groups the user will belong to. It should be a list containing a single, JSON-encoded string value. The JSON data can contain the following fields:\n* `policy`: [IAM policy](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html) which will be created for each issued user account. This is the most secure method of assigning permissions.\n* `static_policies`: A string-valued list of existing policy names that should be assigned to a user account issued under this role. Mind that the policies themselves are not managed by Vault.\n* `groups`: A list of group names the issued user should be part of. Groups are created on demand. Mind that the associated policy itself is not managed by Vault.\n\n## Notes\n* This plugin is in very early development.\n* MinIO must be not be using the Gateway/Filesystem backends, otherwise you will see this error: `This 'admin' API is not supported by server in 'mode-server-fs'`. Noticeably, the TrueNAS CORE native `S3` service is outdated in that respect. You can install the MinIO plugin though, which is more recent.\n\n## Related\n* https://github.com/kula/vault-plugin-secrets-minio\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flkubb%2Fvault-plugin-database-minio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flkubb%2Fvault-plugin-database-minio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flkubb%2Fvault-plugin-database-minio/lists"}