Limit readonly bucket on MinIO using Anonymous Access - allanrogerr/public GitHub Wiki

Using mc, run commands on https://play.min.io/ 

mc rb --force play/11215
mc mb play/11215
mc anonymous set download play/x
echo "test read only 11215" | mc pipe play/11215/test.out

Setup users and policy

cat << EOF > denywrite_policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "s3:*"
            ],
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Resource": [
                "arn:aws:s3:::11215/*"
            ]
        }
    ]
}
EOF

mc anonymous set-json denywrite_policy.json play/11215
mc anonymous get-json play/11215
mc anonymous links --recursive play/11215

mc admin user remove play test-rwpolicy-user
mc admin user add play test-rwpolicy-user source123
mc admin policy attach play readwrite --user test-rwpolicy-user
mc admin policy entities play --user test-rwpolicy-user

Login to https://play.min.io:9443/login as test-rwpolicy-user

Observe user CAN upload to bucket play/11215.

Observe that the links provided are only GET enabled e.g.

curl -X GET https://play.min.io/11215

<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>11215</Name><Prefix></Prefix><Marker></Marker><MaxKeys>1000</MaxKeys><IsTruncated>false</IsTruncated><Contents><Key>issue</Key><LastModified>2024-04-22T20:30:16.083Z</LastModified><ETag>&#34;0aae4c8f3cc35693d0cbbe631f2e8b52&#34;</ETag><Size>5</Size><Owner><ID>02d6176db174dc93cb1b899f7c6078f08654445fe8cf1b6ce98d8855f66bdbf4</ID><DisplayName>minio</DisplayName></Owner><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>test.out</Key><LastModified>2024-04-22T20:29:59.939Z</LastModified><ETag>&#34;874e2269648fffff1fd64b15d5466775&#34;</ETag><Size>21</Size><Owner><ID>02d6176db174dc93cb1b899f7c6078f08654445fe8cf1b6ce98d8855f66bdbf4</ID><DisplayName>minio</DisplayName></Owner><StorageClass>STANDARD</StorageClass></Contents></ListBucketResult>%                                                                                                                         

curl -T new.out https://play.min.io/11215/new.out
touch new.out
curl --upload-file new.out https://play.min.io/11215/new.out

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><Key>new.out</Key><BucketName>11215</BucketName><Resource>/11215/new.out</Resource><Region>us-east-1</Region><RequestId>17C8B8812C946B8A</RequestId><HostId>3e996b2f640d7e065d3a5c4e39a5538cefb82e3e77771990265e4698d8681eac</HostId></Error>%
⚠️ **GitHub.com Fallback** ⚠️