mirror-seaweedfs/test/s3/iam/test_config.json

{
  "identities": [
    {
      "name": "testuser",
      "credentials": [
        {
          "accessKey": "test-access-key",
          "secretKey": "test-secret-key"
        }
      ],
      "actions": ["Admin"]
    },
    {
      "name": "readonlyuser", 
      "credentials": [
        {
          "accessKey": "readonly-access-key",
          "secretKey": "readonly-secret-key"
        }
      ],
      "actions": ["Read"]
    },
    {
      "name": "writeonlyuser",
      "credentials": [
        {
          "accessKey": "writeonly-access-key", 
          "secretKey": "writeonly-secret-key"
        }
      ],
      "actions": ["Write"]
    }
  ],
  "iam": {
    "enabled": true,
    "sts": {
      "tokenDuration": "15m",
      "issuer": "seaweedfs-sts",
      "signingKey": "test-sts-signing-key-for-integration-tests"
    },
    "policy": {
      "defaultEffect": "Deny"
    },
    "providers": {
      "oidc": {
        "test-oidc": {
          "issuer": "http://localhost:8080/.well-known/openid_configuration",
          "clientId": "test-client-id",
          "jwksUri": "http://localhost:8080/jwks",
          "userInfoUri": "http://localhost:8080/userinfo",
          "roleMapping": {
            "rules": [
              {
                "claim": "groups",
                "claimValue": "admins", 
                "roleName": "S3AdminRole"
              },
              {
                "claim": "groups",
                "claimValue": "users",
                "roleName": "S3ReadOnlyRole"
              },
              {
                "claim": "groups",
                "claimValue": "writers",
                "roleName": "S3WriteOnlyRole"
              }
            ]
          },
          "claimsMapping": {
            "email": "email",
            "displayName": "name",
            "groups": "groups"
          }
        }
      },
      "ldap": {
        "test-ldap": {
          "server": "ldap://localhost:389",
          "baseDN": "dc=example,dc=com",
          "bindDN": "cn=admin,dc=example,dc=com", 
          "bindPassword": "admin-password",
          "userFilter": "(uid=%s)",
          "groupFilter": "(memberUid=%s)",
          "attributes": {
            "email": "mail",
            "displayName": "cn", 
            "groups": "memberOf"
          },
          "roleMapping": {
            "rules": [
              {
                "claim": "groups",
                "claimValue": "cn=admins,ou=groups,dc=example,dc=com",
                "roleName": "S3AdminRole"
              },
              {
                "claim": "groups", 
                "claimValue": "cn=users,ou=groups,dc=example,dc=com",
                "roleName": "S3ReadOnlyRole"
              }
            ]
          }
        }
      }
    },
    "policyStore": {}
  },
  "roles": {
    "S3AdminRole": {
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": ["test-oidc", "test-ldap"]
            },
            "Action": "sts:AssumeRoleWithWebIdentity"
          }
        ]
      },
      "attachedPolicies": ["S3AdminPolicy"],
      "description": "Full administrative access to S3 resources"
    },
    "S3ReadOnlyRole": {
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow", 
            "Principal": {
              "Federated": ["test-oidc", "test-ldap"]
            },
            "Action": "sts:AssumeRoleWithWebIdentity"
          }
        ]
      },
      "attachedPolicies": ["S3ReadOnlyPolicy"],
      "description": "Read-only access to S3 resources"
    },
    "S3WriteOnlyRole": {
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": ["test-oidc", "test-ldap"] 
            },
            "Action": "sts:AssumeRoleWithWebIdentity"
          }
        ]
      },
      "attachedPolicies": ["S3WriteOnlyPolicy"],
      "description": "Write-only access to S3 resources"
    }
  },
  "policies": {
    "S3AdminPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["s3:*"],
          "Resource": [
            "arn:seaweed:s3:::*",
            "arn:seaweed:s3:::*/*"
          ]
        }
      ]
    },
    "S3ReadOnlyPolicy": {
      "Version": "2012-10-17", 
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:GetObjectVersion", 
            "s3:ListBucket",
            "s3:ListBucketVersions",
            "s3:GetBucketLocation",
            "s3:GetBucketVersioning"
          ],
          "Resource": [
            "arn:seaweed:s3:::*",
            "arn:seaweed:s3:::*/*"
          ]
        }
      ]
    },
    "S3WriteOnlyPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion",
            "s3:InitiateMultipartUpload",
            "s3:UploadPart", 
            "s3:CompleteMultipartUpload",
            "s3:AbortMultipartUpload",
            "s3:ListMultipartUploadParts"
          ],
          "Resource": [
            "arn:seaweed:s3:::*/*"
          ]
        }
      ]
    },
    "S3BucketManagementPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:CreateBucket",
            "s3:DeleteBucket", 
            "s3:GetBucketPolicy",
            "s3:PutBucketPolicy",
            "s3:DeleteBucketPolicy",
            "s3:GetBucketVersioning",
            "s3:PutBucketVersioning"
          ],
          "Resource": [
            "arn:seaweed:s3:::*"
          ]
        }
      ]
    },
    "S3IPRestrictedPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["s3:*"],
          "Resource": [
            "arn:seaweed:s3:::*",
            "arn:seaweed:s3:::*/*"
          ],
          "Condition": {
            "IpAddress": {
              "aws:SourceIp": ["192.168.1.0/24", "10.0.0.0/8"]
            }
          }
        }
      ]
    },
    "S3TimeBasedPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow", 
          "Action": ["s3:GetObject", "s3:ListBucket"],
          "Resource": [
            "arn:seaweed:s3:::*",
            "arn:seaweed:s3:::*/*"
          ],
          "Condition": {
            "DateGreaterThan": {
              "aws:CurrentTime": "2023-01-01T00:00:00Z"
            },
            "DateLessThan": {
              "aws:CurrentTime": "2025-12-31T23:59:59Z" 
            }
          }
        }
      ]
    }
  },
  "bucketPolicyExamples": {
    "PublicReadPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "PublicReadGetObject",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject", 
          "Resource": "arn:seaweed:s3:::example-bucket/*"
        }
      ]
    },
    "DenyDeletePolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "DenyDeleteOperations",
          "Effect": "Deny",
          "Principal": "*",
          "Action": ["s3:DeleteObject", "s3:DeleteBucket"],
          "Resource": [
            "arn:seaweed:s3:::example-bucket",
            "arn:seaweed:s3:::example-bucket/*"
          ]
        }
      ]
    },
    "IPRestrictedAccessPolicy": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "IPRestrictedAccess",
          "Effect": "Allow", 
          "Principal": "*",
          "Action": ["s3:GetObject", "s3:PutObject"],
          "Resource": "arn:seaweed:s3:::example-bucket/*",
          "Condition": {
            "IpAddress": {
              "aws:SourceIp": ["203.0.113.0/24"]
            }
          }
        }
      ]
    }
  }
}