From c5354e75d1205a82a93fd30868e1f5602161ade9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Chlo=C3=A9=20Vulquin?= <code@toast.bunkerlabs.net>
Date: Wed, 14 Jan 2026 22:16:43 +0100
Subject: initial import

---
 user/README.md       | 19 +++++++++++++++++++
 user/useronly.json   | 15 +++++++++++++++
 user/userprefix.json | 15 +++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 user/README.md
 create mode 100644 user/useronly.json
 create mode 100644 user/userprefix.json

(limited to 'user')

diff --git a/user/README.md b/user/README.md
new file mode 100644
index 0000000..bede75a
--- /dev/null
+++ b/user/README.md
@@ -0,0 +1,19 @@
+# User Policies
+User policies apply to users and determine the read/write access they will have.
+This is useful to avoid needing to configure each bucket separately.
+
+## Policies
+The following policies are available:
+
+* useronly.json: Grants the user access to the bucket of their name.
+  For example, the user `foo` will be granted access to the bucket `foo` only.
+* userprefix.json: Grants the user access to buckets prefixed by their name.
+  For example, the user `foo` will be granted access to the buckets
+  `foo` and `foobar` but not `barfoo`.
+
+## Using
+Apply these policies as so:
+
+1. Download the file.
+2. `mcli admin policy add MYMINIO NAME NAME.json`
+3. `mcli admin policy set MYMINIO NAME user=USER`
diff --git a/user/useronly.json b/user/useronly.json
new file mode 100644
index 0000000..2300440
--- /dev/null
+++ b/user/useronly.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${aws:username}",
+        "arn:aws:s3:::${aws:username}/*"
+      ]
+    }
+  ]
+}
diff --git a/user/userprefix.json b/user/userprefix.json
new file mode 100644
index 0000000..609c108
--- /dev/null
+++ b/user/userprefix.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${aws:username}*",
+        "arn:aws:s3:::${aws:username}*/*"
+      ]
+    }
+  ]
+}
-- 
cgit v1.2.3