MinIO S3 (bucket creation and access)

MinIO provides S3-compatible storage for backups and project data. This page shows how to create a per-project bucket with a least-privilege user and policy.

Entry points

S3 console: https://s3.app.lef/
S3 API endpoint (internal): storage.core.lef:9000

Prerequisites

mc CLI installed.
Admin access to MinIO (credentials live in the password manager; do not store them in Git).
A chosen bucket name (kebab-case, project-specific) and a dedicated user name.

1) Configure an `mc` alias

mc alias set s3m http://storage.core.lef:9000 <admin_access_key> <admin_secret_key>

2) Create the bucket

mc mb s3m/<bucket-name>

3) Create a least-privilege policy

Store policies on the MinIO host (convention):

mkdir -p /home/minio/policies

Create the policy JSON:

cat <<EOF > /home/minio/policies/<bucket-name>-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::<bucket-name>"]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": ["arn:aws:s3:::<bucket-name>/*"]
    }
  ]
}
EOF

Create the policy in MinIO:

mc admin policy create s3m <bucket-name>-policy /home/minio/policies/<bucket-name>-policy.json

4) Create a dedicated user and attach the policy

mc admin user add s3m <user-name> <user-password>
mc admin policy attach s3m <bucket-name>-policy --user <user-name>

Use with SQL Server backups

SQL Server uses an S3 URL credential and the secret in the form <accessKey>:<secretKey>. See the canonical scripts on:

SQL Server → S3 backup & restore

Failure modes

Access denied: policy missing ListBucket or object permissions.
Wrong endpoint: the host can’t reach the S3 endpoint (DNS/VPN/routing).
TLS issues: client doesn’t trust the S3 certificate/CA.

Operate & troubleshoot Storage & S3 SQL Server → S3 backup & restore storage.core.lef Backup and recovery policy