{ "identities": [ { "name": "testuser", "credentials": [ { "accessKey": "test-access-key", "secretKey": "test-secret-key" } ], "actions": ["Admin"] }, { "name": "readonlyuser", "credentials": [ { "accessKey": "readonly-access-key", "secretKey": "readonly-secret-key" } ], "actions": ["Read"] }, { "name": "writeonlyuser", "credentials": [ { "accessKey": "writeonly-access-key", "secretKey": "writeonly-secret-key" } ], "actions": ["Write"] } ], "iam": { "enabled": true, "sts": { "tokenDuration": "15m", "issuer": "seaweedfs-sts", "signingKey": "test-sts-signing-key-for-integration-tests" }, "policy": { "defaultEffect": "Deny" }, "providers": { "oidc": { "test-oidc": { "issuer": "http://localhost:8080/.well-known/openid_configuration", "clientId": "test-client-id", "jwksUri": "http://localhost:8080/jwks", "userInfoUri": "http://localhost:8080/userinfo", "roleMapping": { "rules": [ { "claim": "groups", "claimValue": "admins", "roleName": "S3AdminRole" }, { "claim": "groups", "claimValue": "users", "roleName": "S3ReadOnlyRole" }, { "claim": "groups", "claimValue": "writers", "roleName": "S3WriteOnlyRole" } ] }, "claimsMapping": { "email": "email", "displayName": "name", "groups": "groups" } } }, "ldap": { "test-ldap": { "server": "ldap://localhost:389", "baseDN": "dc=example,dc=com", "bindDN": "cn=admin,dc=example,dc=com", "bindPassword": "admin-password", "userFilter": "(uid=%s)", "groupFilter": "(memberUid=%s)", "attributes": { "email": "mail", "displayName": "cn", "groups": "memberOf" }, "roleMapping": { "rules": [ { "claim": "groups", "claimValue": "cn=admins,ou=groups,dc=example,dc=com", "roleName": "S3AdminRole" }, { "claim": "groups", "claimValue": "cn=users,ou=groups,dc=example,dc=com", "roleName": "S3ReadOnlyRole" } ] } } } }, "policyStore": {} }, "roles": { "S3AdminRole": { "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": ["test-oidc", "test-ldap"] }, "Action": "sts:AssumeRoleWithWebIdentity" } ] }, "attachedPolicies": ["S3AdminPolicy"], "description": "Full administrative access to S3 resources" }, "S3ReadOnlyRole": { "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": ["test-oidc", "test-ldap"] }, "Action": "sts:AssumeRoleWithWebIdentity" } ] }, "attachedPolicies": ["S3ReadOnlyPolicy"], "description": "Read-only access to S3 resources" }, "S3WriteOnlyRole": { "trustPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": ["test-oidc", "test-ldap"] }, "Action": "sts:AssumeRoleWithWebIdentity" } ] }, "attachedPolicies": ["S3WriteOnlyPolicy"], "description": "Write-only access to S3 resources" } }, "policies": { "S3AdminPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:*"], "Resource": [ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ] } ] }, "S3ReadOnlyPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:GetBucketLocation", "s3:GetBucketVersioning" ], "Resource": [ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ] } ] }, "S3WriteOnlyPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:InitiateMultipartUpload", "s3:UploadPart", "s3:CompleteMultipartUpload", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:seaweed:s3:::*/*" ] } ] }, "S3BucketManagementPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ], "Resource": [ "arn:seaweed:s3:::*" ] } ] }, "S3IPRestrictedPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:*"], "Resource": [ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ], "Condition": { "IpAddress": { "aws:SourceIp": ["192.168.1.0/24", "10.0.0.0/8"] } } } ] }, "S3TimeBasedPolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": [ "arn:seaweed:s3:::*", "arn:seaweed:s3:::*/*" ], "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2023-01-01T00:00:00Z" }, "DateLessThan": { "aws:CurrentTime": "2025-12-31T23:59:59Z" } } } ] } }, "bucketPolicyExamples": { "PublicReadPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "PublicReadGetObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:seaweed:s3:::example-bucket/*" } ] }, "DenyDeletePolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyDeleteOperations", "Effect": "Deny", "Principal": "*", "Action": ["s3:DeleteObject", "s3:DeleteBucket"], "Resource": [ "arn:seaweed:s3:::example-bucket", "arn:seaweed:s3:::example-bucket/*" ] } ] }, "IPRestrictedAccessPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "IPRestrictedAccess", "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:seaweed:s3:::example-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": ["203.0.113.0/24"] } } } ] } } }