The open source project MinIO offers an S3 compatible storage service. This tutorial walks you through using MinIO in Open Source Cloud as a service for managing buckets that can be accessed with AWS S3 compatible clients.

• If you have not already done so, sign up for an OSC account.
• AWS CLI or S3 compatible client

Click on the button "Create objstorage" and a dialog will be shown.

• Name: The name of the server instance
• RootUser: The admin user name
• RootPassword: The admin password

Wait for the server instance to be created. Once created a new card will be shown that contains the URL to the server.

For example https://demo-guide.minio-minio.auto.prod.osaas.io

This URL is the S3 endpoint that you will use. Now you are ready to create a storage bucket on this server.

We will now create a storage bucket in the storage service we created in step 1. First we will download and install the MinIO client using Homebrew.

% brew install minio/stable/mc

Create an alias for the storage service you created where <tenant> is the id of your tenant. Provide the admin username and password that you used when created the server instance.

% mc alias set guide https://<tenant>-guide.minio-minio.auto.prod.osaas.io root abC12345678
Added `guide` successfully.

Now we can create a bucket that we call tutorial

% mc mb guide/tutorial

To upload an image we have on local disk to the bucket we will the AWS command line tool as the storage service provides an S3 compatible interface.

% export AWS_ACCESS_KEY_ID=root
% export AWS_SECRET_ACCESS_KEY=abC12345678
% aws --endpoint-url https://<tenant>-guide.minio-minio.auto.prod.osaas.io \
  s3 cp images.jpeg s3://tutorial/
upload: ./images.jpeg to s3://tutorial/images.jpeg

And when we list the content on this bucket we should find the file we just uploaded.

% aws --endpoint-url https://<tenant>-guide.minio-minio.auto.prod.osaas.io s3 ls s3://tutorial/

Be aware that removing a storage service means that the data will be lost.

To access an object in a bucket you can use the AWS CLI command presign to generate an HTTP url.

% aws --endpoint-url=https://demo-guide.minio-minio.auto.prod.osaas.io \
  s3 presign s3://tutorial/images.jpeg

See the AWS CLI documentation on how to set the expiration time for the link.

To enable public (anonymous) read-only access to the contents of a bucket we can enable that using the mc command line tool.

% mc anonymous set download guide/tutorial

Now you can access the images.jpeg you uploaded directly in your browser https://demo-guide.minio-minio.auto.prod.osaas.io/tutorial/images.jpeg

When using the MinIO storage for public distribution over the Internet you want to use a Content Distribution Network (CDN) for the delivery. When you setup your distribution property at your CDN provider you will use the following:

• Origin: Your MinIO instance hostname, e.g. demo-guide.minio-minio.auto.prod.osaas.io
• Protocol: HTTPS
• Port: 443
• Origin Host Header: demo-guide.minio-minio.auto.prod.osaas.io

Important here is that the Host header in the HTTPS request to the origin is the hostname of the MinIO storage instance and not the hostname in the viewer request.

Consult your CDN provider documentation on how to configure this.

You can also use the OSC Command Line tool to setup a default CDN property for a MinIO storage bucket in Eyevinn OSC. Currently support setup of CDN property in AWS CloudFront but we are happy for contribution from other CDN providers. The OSC Command Line Tool is open source.

To create a CDN distribution in AWS CloudFront for the bucket tutorial that we created in this guide:

% npx @osaas/cli web cdn-create --origin-path=/tutorial minio-minio guide

To ensure the security of your MinIO deployment, consider the following best practices, especially when using the service in production environments:

• Use Strong Credentials: Choose strong, complex passwords for the RootUser and avoid using default or easily guessable usernames.
• Restrict Anonymous Access: Avoid enabling anonymous access (mc anonymous set download) unless absolutely necessary. If enabled, monitor access and review content exposure regularly.
• Enable HTTPS: Always access your MinIO server over HTTPS to encrypt data in transit. This is particularly important when using the AWS CLI or exposing public URLs. This is provided by default for all service in Open Source Cloud.
• Limit Access with Policies: Use access policies to restrict what users or clients can do. MinIO supports fine-grained policy management similar to AWS IAM.
• Regularly Rotate Access Keys: Rotate the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY periodically to reduce the risk of credential leaks.

• Guide to setup a Web user interface for your storage
• Guide to create a RAG-setup (Retrieval-Augmented Generation)