MinIO Server

The minio server command starts the MinIO server process:

minio server /mnt/disk{1...4}

For examples of deploying minio server on a bare metal environment, see Install and Deploy MinIO.

For examples of deploying minio server on a Kubernetes environment, see Deploying a MinIO Tenant.

AGPLv3

minio server is AGPLv3 licensed Free and Open Source (FOSS) software.

Applications integrating mc may trigger AGPLv3 compliance requirements. MinIO Commercial Licensing is the best option for applications which trigger AGPLv3 obligations where open-sourcing the application is not an option.

Configuration Settings

The minio server process stores its configuration in the storage backend directory. You can modify configuration options using the mc admin config command.

Syntax

Starts the minio server process.

The command has the following syntax:

minio server [FLAGS] HOSTNAME/DIRECTORIES [HOSTNAME/DIRECTORIES..]

The command accepts the following arguments:

HOSTNAME

The hostname of a minio server process.

For standalone deployments, this field is optional. You can start a standalone server process with only the DIRECTORIES argument.

For distributed deployments, specify the hostname of each minio server in the deployment. The group of minio server processes represent a single Server Pool.

HOSTNAME supports MinIO expansion notation {x...y} to denote a sequential series of hostnames. MinIO requires sequential hostnames to identify each minio server process in the set.

For example, https://minio{1...4}.example.net expands to:

https://minio1.example.net
https://minio2.example.net
https://minio3.example.net
https://minio4.example.net

You must run the minio server command with the same combination of HOSTNAME and DIRECTORIES on each host in the Server Pool.

Each additional HOSTNAME/DIRECTORIES pair denotes an additional Server Set for the purpose of horizontal expansion of the MinIO deployment. For more information on Server Pools, see Server Pool.

DIRECTORIES

Required

The directories or drives the minio server process uses as the storage backend.

DIRECTORIES supports MinIO expansion notation {x...y} to denote a sequential series of folders or drives. For example, /mnt/disk{1...4} expands to:

/mnt/disk1
/mnt/disk2
/mnt/disk3
/mnt/disk4

The DIRECTORIES path(s) must be empty when first starting the minio process.

The minio server process requires at least 4 drives or directories to enable erasure coding.

Important

MinIO recommends locally-attached drives, where the DIRECTORIES path points to each drive on the host machine. MinIO recommends against using network-attached storage, as network latency reduces performance of those drives compared to locally-attached storage.

For development or evaluation, you can specify multiple logical directories or partitions on a single physical volume to enable erasure coding on the deployment.

For production environments, MinIO does not recommend using multiple logical directories or partitions on a single physical disk. While MinIO supports those configurations, the potential cost savings come at the risk of decreased reliability.

--address

Optional

Binds the minio server process to a specific network address and port number. Specify the address and port as ADDRESS:PORT, where ADDRESS is an IP address or hostname and PORT is a valid and open port on the host system.

To change the port number for all IP addresses or hostnames configured on the host machine, specify :PORT where PORT is a valid and open port on the host.

Changed in version RELEASE.2023-01-02T09-40-09Z: You can configure your hosts file to have MinIO only listen on specific IPs. For example, if the machine’s /etc/hosts file contains the following:

127.0.1.1       minioip
127.0.1.2       minioip

A command like the following would listen for API calls on port 9000 on both configured IP addresses.

minio server --address "minioip:9000" ~/miniodirectory

If omitted, minio binds to port 9000 on all configured IP addresses or hostnames on the host machine.

--console-address

Optional

Specifies a static port for the embedded MinIO Console.

Omit to direct MinIO to generate a dynamic port at server startup. The MinIO server outputs the port to the system log.

--ftp

Optional

Enable and configure a File Transfer Protocol (FTP) or File Transfer Protocol over SSL/TLS (FTPS) server. Use this flag multiple times to specify an address port, a passive port range of addresses, or a TLS certificate and key as key-value pairs.

Valid keys:

address, which takes a single port to use for the server, typically 8021
_(Optional)_ passive-port-range, which restricts the range of potential ports the server can use to transfer data, such as when tight firewall rules limit the port the FTP server can request for the connection
_(Optional)_ tls-private-key, which takes the path to the user’s private key for accessing the MinIO deployment by TLS

Use with tls-public-cert.
_(Optional)_ tls-public-cert, which takes the path to the certificate for accessing the MinIO deployment by TLS

Use with tls-private-key.

For MinIO deployments with TLS enabled, omit tls-private-key and tls-public-key to direct MinIO to use the default TLS keys for the MinIO deployment. See Network Encryption (TLS) for more information. You only need to specify a certificate and private key to a different set of TLS certificate and key than the MinIO default (for example, to use a different domain).

For example:

minio server http://server{1...4}/disk{1...4} \
--ftp="address=:8021"                         \
--ftp="passive-port-range=30000-40000"        \
--ftp="tls-private-key=path/to/private.key"   \
--ftp="tls-public-cert=path/to/public.crt"    \
...

--sftp

Optional

Enable and configure a SSH File Transfer Protocol (SFTP) server. Use multiple times to specify an address port and the path to the ssh private key to use as key-value pairs.

Valid keys:

address, which takes a single port to use for the server, typically 8022
ssh-private-key, which takes the path to the user’s private key file

For example:

minio server http://server{1...4}/disk{1...4}                               \
--sftp="address=:8022" --sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" \
...

--certs-dir, -S

Optional

Specifies the path to the folder containing certificates the minio process uses for configuring TLS/SSL connectivity.

Omit to use the default directory paths:

Linux/OSX: ${HOME}/.minio/certs
Windows: %%USERPROFILE%%\.minio\certs.

See Network Encryption (TLS) for more information on TLS/SSL connectivity.

--quiet: Optional
Disables startup information.

--anonymous: Optional
Hides sensitive information from logging.

--json: Optional
Outputs server logs and startup information in JSON format.

Environment Variables

The minio server processes uses the following environment variables during startup to set configuration settings.

Core Configuration

MINIO_VOLUMES

The directories or drives the minio server process uses as the storage backend.

Functionally equivalent to setting minio server DIRECTORIES. Use this value when configuring MinIO to run using an environment file.

MINIO_CONFIG_ENV_FILE

Specifies the full path to the file the MinIO server process uses for loading environment variables.

For systemd-managed files, setting this value to the environment file allows MinIO to reload changes to that file on using mc admin service restart to restart the deployment.

MINIO_ILM_EXPIRY_WORKERS: Specifies the number of workers to make available to expire objects configured with ILM rules for expiration. When not set, MinIO defaults to using up to half of the available processing cores available.

MINIO_DOMAIN

Set to the Fully Qualified Domain Name (FQDN) MinIO accepts Bucket DNS (Virtual Host)-style requests on.

For example, setting MINIO_DOMAIN=minio.example.net directs MinIO to accept an incoming connection request the data bucket at data.minio.example.net.

If this setting is omitted, the default is to only accept path-style requests. For example, minio.example.net/data.

MINIO_SCANNER_SPEED

Manage the maximum wait period for the scanner when balancing MinIO read/write performance to scanner processes.

MinIO utilizes the scanner for bucket replication, site replication, and lifecycle management tasks.

Valid values include:

`fastest`	Removes scanner wait on read/write latency, allowing the scanner to operate at full-speed and IOPS consumption. This setting may result in reduced read and write performance.
`fast`	Sets a short scanner wait time on read/write latency, allowing the scanner to operate at a higher speed and IOPS consumption. This setting may result in reduced read and write performance.
`default`	Sets a moderate scanner wait time on read/write latency, allowing the scanner to operate at a balanced speed and IOPS consumption. This setting seeks to maintain read and write performance while allowing ongoing scanner activity.
`slow`	Sets a medium scanner wait time on read/write latency, where the scanner operates at a reduced speed and IOPS consumption. This setting allows better read and write performance while reducing scanner performance. May impact scanner-dependent features, such as lifecycle management and replication.
`slowest`	Sets a large scanner wait time on read/write latency, where the scanner operates at a substantially lower speed and IOPS consumption. This setting prioritizes read and write operations at the potential cost of scanner operations. May impact scanner-dependent features, such as lifecycle management and replication.

Root Credentials

MINIO_ROOT_USER: The access key for the root user.

Warning

If MINIO_ROOT_USER is unset, minio defaults to minioadmin.

NEVER use the default credentials in production environments. MinIO strongly recommends specifying a unique, long, and random MINIO_ROOT_USER value for all environments.

MINIO_ROOT_PASSWORD: The secret key for the root user.

Warning

If MINIO_ROOT_PASSWORD is unset, minio defaults to minioadmin.

NEVER use the default credentials in production environments. MinIO strongly recommends specifying a unique, long, and random MINIO_ROOT_PASSWORD value for all environments.

MINIO_API_ROOT_ACCESS

New in version MinIO: Server RELEASE.2023-05-04T21-44-30Z

Specify on to enable and off to disable the root user account. Disabling the root service account also disables all service accounts associated with root, excluding those used by site replication. Defaults to on.

Ensure you have at least one other admin user, such as one with the consoleAdmin policy, before disabling the root account. If you do not have another admin user, disabling the root account locks administrative access to the deployment.

This environment variable corresponds with the api root_access configuration setting. You can use this variable to temporarily override the configuration setting and re-enable root access to the deployment.

MINIO_ACCESS_KEY

Deprecated since version RELEASE.2021-04-22T15-44-28Z.

The access key for the root user.

This environment variable is deprecated in favor of the MINIO_ROOT_USER environment variable.

Warning

If MINIO_ACCESS_KEY is unset, minio defaults to minioadmin.

NEVER use the default credentials in production environments. MinIO strongly recommends specifying a unique, long, and random MINIO_ACCESS_KEY value for all environments.

MINIO_SECRET_KEY

Deprecated since version RELEASE.2021-04-22T15-44-28Z.

The secret key for the root user.

This environment variable is deprecated in favor of the MINIO_ROOT_PASSWORD environment variable.

Warning

If MINIO_SECRET_KEY is unset, minio defaults to minioadmin.

NEVER use the default credentials in production environments. MinIO strongly recommends specifying a unique, long, and random MINIO_ACCESS_KEY value for all environments.

MINIO_ACCESS_KEY_OLD: Deprecated since version RELEASE.2021-04-22T15-44-28Z.

To perform root credential rotation, modify the MINIO_ROOT_USER and MINIO_ROOT_PASSWORD environment variables.

MINIO_SECRET_KEY_OLD: Deprecated since version RELEASE.2021-04-22T15-44-28Z.

To perform root credential rotation, modify the MINIO_ROOT_USER and MINIO_ROOT_PASSWORD environment variables.

MinIO Console

The following environment variables control behavior for the embedded MinIO Console:

MINIO_PROMETHEUS_URL

Optional

Specify the URL for a Prometheus service configured to scrape MinIO metrics.

The MinIO Console populates the Dashboard with cluster metrics using the minio-job Prometheus scraping job.

If you are using a standalone MinIO Console process, this variable corresponds with CONSOLE_PROMETHEUS_URL.

MINIO_PROMETHEUS_JOB_ID

Optional

Specify the custom Prometheus job ID used for scraping MinIO metrics.

MinIO defaults to minio-job.

If you are using a standalone MinIO Console process, this variable corresponds with CONSOLE_PROMETHEUS_JOB_ID.

MINIO_LOG_QUERY_URL

Optional

Specify the URL of a PostgreSQL service to which MinIO writes Audit logs. The embedded MinIO Console provides a Log Search tool that allows querying the PostgreSQL service for collected logs.

MINIO_BROWSER

Optional

Specify off to disable the embedded MinIO Console.

MINIO_BROWSER_LOGIN_ANIMATION

Optional

New in version MinIO: Server RELEASE.2023-05-04T21-44-30Z

Specify off to disable the animated login screen for the MinIO Console. Defaults to on.

MINIO_BROWSER_REDIRECT_URL

Optional

Specify the Fully Qualified Domain Name (FQDN) the MinIO Console listens for incoming connections on.

If you want to host the MinIO Console exclusively from a reverse-proxy service, you must specify the hostname managed by that service.

For example, consider a reverse proxy configured to route https://example.net/minio/ to the MinIO Console. You must set this environment variable to match that hostname for the Console to both listen and respond to requests using that hostname.

If you omit this variable, the Console listens and responds to all IP addresses or hostnames associated to the host machine on which the MinIO Server runs.

MINIO_BROWSER_SESSION_DURATION

Optional

New in version MinIO: Server RELEASE.2023-08-23T10-07-06Z

Specify the duration of a browser session for working with the MinIO Console.

MinIO supports the following units of time measurement:

s - seconds, “60s”
m - minutes, “60m”
h - hours, “24h”
d - days, “7d”

Defaults to 12h.

MINIO_SERVER_URL

Optional

Specify the Fully Qualified Domain Name (FQDN) the MinIO Console must use for connecting to the MinIO Server. The Console also uses this value for setting the root hostname when generating presigned URLs.

This setting may be required if:

The MinIO Server uses a TLS certificate that does not include the host local IP(s) in the certificate Subject Alternative Name (SAN) or
The Console must use a specific hostname to connect or reference the MinIO Server, e.g. due to a reverse proxy or similar configuration.

Key Management Service and Encryption

MINIO_KMS_KES_ENDPOINT: The endpoint for the MinIO Key Encryption Service (KES) process to use for supporting SSE-S3 and MinIO backend encryption operations.

MINIO_KMS_KES_KEY_FILE

The private key associated to the the MINIO_KMS_KES_CERT_FILE x.509 certificate to use when authenticating to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).

See the KES wiki for more complete documentation on KES access control.

MINIO_KMS_KES_CERT_FILE

The x.509 certificate to present to the KES server. The KES server requires clients to present their certificate for performing mutual TLS (mTLS).

The KES server computes an identity from the certificate and compares it to its configured policies. The KES server grants the minio server access to only those operations explicitly granted by the policy.

See the KES wiki for more complete documentation on KES access control.

MINIO_KMS_KES_KEY_NAME

The name of an external key on the Key Management system (KMS) configured on the KES server and used for performing en/decryption operations. MinIO uses this key for the following:

Encrypting backend data ( IAM, server configuration).
The default encryption key for Server-Side Encryption with SSE-KMS.
The encryption key for Server-Side Encryption with SSE-S3.

MINIO_KMS_KES_ENCLAVE

Use this optional environment variable to define the name of a KES enclave. A KES enclave provides an isolated space for its associated keys separate from other enclaves on a stateful KES server.

If not set, MinIO does not send enclave information. For a stateful KES server, this results in using the default enclave.

Storage Class

These environment variables configure the parity to use for objects written to the MinIO cluster.

MinIO Storage Classes are distinct from AWS Storage Classes, where the latter refers to the specific storage tier on which to store a given object.

MINIO_STORAGE_CLASS_STANDARD

The parity level for the deployment. MinIO shards objects written with the default STANDARD storage class using this parity value.

MinIO references the x-amz-storage-class header in request metadata for determining which storage class to assign an object. The specific syntax or method for setting headers depends on your preferred method for interfacing with the MinIO server.

Specify the value using EC:M notation, where M refers to the number of parity blocks to create for the object.

The following table lists the default values based on the erasure set size of the initial server pool in the deployment:

Erasure Set Size	Default Parity (EC:N)
4-5	EC:2
6 - 7	EC:3
8 - 16	EC:4

The minimum supported value is 0, which indicates no erasure coding protections. These deployments rely entirely on the storage controller or resource for availability / resiliency.

The maximum value depends on the erasure set size of the initial server pool in the deployment, where the upper bound is $\frac{\text{ERASURE_SET_SIZE}}{\text{2}}$. For example, a deployment with erasure set stripe size of 16 has a maximum standard parity of 8.

You can change this value after startup to any value between 0 and the upper bound for the erasure set size. MinIO only applies the changed parity to newly written objects. Existing objects retain the parity value in place at the time of their creation.

MINIO_STORAGE_CLASS_RRS

The parity level for objects written with the REDUCED storage class.

Specify the value using EC:M notation, where M refers to the number of parity blocks to create for the object.

This value must be less than or equal to MINIO_STORAGE_CLASS_STANDARD.

You cannot set this value for deployments with an erasure set size less than 5. Defaults to EC:2.

MINIO_STORAGE_CLASS_COMMENT: Adds a comment to the storage class settings.

Metrics and Logging

These environment variables control behavior related to MinIO metrics and logging. See Metrics and Alerts for more information.

MINIO_PROMETHEUS_AUTH_TYPE

Specifies the authentication mode for the Prometheus scraping endpoints.

jwt - Default MinIO requires that the scraping client specify a JWT token for authenticating requests. Use mc admin prometheus generate to generate the necessary JWT bearer tokens.
public MinIO does not require that scraping clients authenticate their requests.

Logging

These environment variables configure publishing regular minio server logs and audit logs to an HTTP webhook. See Publish Server or Audit Logs to an External Service for more complete documentation.

Server Logs
Webhook Audit Logs
Kafka Audit Logs

Server Logs

The following section documents environment variables for configuring MinIO to publish minio server logs to an HTTP webhook endpoint. See Publish Server Logs to HTTP Webhook for more complete documentation and tutorials on using these environment variables.

You can specify multiple webhook endpoints as log targets by appending a unique identifier _ID for each set of related logging environment variables. For example, the following command set two distinct server logs webhook endpoints:

export MINIO_LOGGER_WEBHOOK_ENABLE_PRIMARY="on"
export MINIO_LOGGER_WEBHOOK_AUTH_TOKEN_PRIMARY="TOKEN"
export MINIO_LOGGER_WEBHOOK_ENDPOINT_PRIMARY="http://webhook-1.example.net"

export MINIO_LOGGER_WEBHOOK_ENABLE_SECONDARY="on"
export MINIO_LOGGER_WEBHOOK_AUTH_TOKEN_SECONDARY="TOKEN"
export MINIO_LOGGER_WEBHOOK_ENDPOINT_SECONDARY="http://webhook-2.example.net"

MINIO_LOGGER_WEBHOOK_ENABLE

Specify "on" to enable publishing minio server logs to the HTTP webhook endpoint.

Requires specifying MINIO_LOGGER_WEBHOOK_ENDPOINT.

This environment variable corresponds with the top-level logger_webhook configuration setting.

MINIO_LOGGER_WEBHOOK_ENDPOINT

The HTTP endpoint of the webhook.

This environment variable corresponds with the logger_webhook endpoint configuration setting.

MINIO_LOGGER_WEBHOOK_AUTH_TOKEN

Optional

The JSON Web Token (JWT) to use for authenticating to the HTTP webhook. Omit for webhooks which do not enforce authentication.

This environment variable corresponds with the logger_webhook auth_token configuration setting.

MINIO_LOGGER_WEBHOOK_CLIENT_CERT

Optional

The path to the mTLS certificate to use for authenticating to the webhook logger.

Requires specifying MINIO_LOGGER_WEBHOOK_CLIENT_KEY.

This environment variable corresponds with the logger_webhook client_cert configuration setting.

MINIO_LOGGER_WEBHOOK_CLIENT_KEY

Optional

The path to the mTLS certificate key to use to authenticate with the webhook logger service.

Requires specifying MINIO_LOGGER_WEBHOOK_CLIENT_CERT.

This environment variable corresponds with the logger_webhook client_key configuration setting.

MINIO_LOGGER_WEBHOOK_PROXY

Optional

Define a proxy to use for the webhook logger when communicating from MinIO to external webhooks.

This environment variable corresponds with the logger_webhook proxy configuration setting.

MINIO_LOGGER_WEBHOOK_QUEUE_DIR

New in version RELEASE.2023-05-18T00-05-36Z.

Optional

Specify the directory path, such as /opt/minio/events, to enable MinIO’s persistent event store for undelivered messages. The MinIO process must have read, write, and list access on the specified directory.

MinIO stores undelivered events in the specified store while the webhook service is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the logger_webhook queue_dir configuration setting.

MINIO_LOGGER_WEBHOOK_QUEUE_SIZE

Optional

An integer value to use for the queue size for logger webhook targets.

This environment variable corresponds with the logger_webhook queue_size configuration setting.

Webhook Audit Logs

The following section documents environment variables for configuring MinIO to publish audit logs to an HTTP webhook endpoint. See Publish Audit Logs to HTTP Webhook for more complete documentation and tutorials on using these environment variables.

You can specify multiple webhook endpoints as audit log targets by appending a unique identifier _ID for each set of related logging environment variables. For example, the following command set two distinct audit log webhook endpoints:

export MINIO_AUDIT_WEBHOOK_ENABLE_PRIMARY="on"
export MINIO_AUDIT_WEBHOOK_AUTH_TOKEN_PRIMARY="TOKEN"
export MINIO_AUDIT_WEBHOOK_ENDPOINT_PRIMARY="http://webhook-1.example.net"
export MINIO_AUDIT_WEBHOOK_CLIENT_CERT_SECONDARY="/tmp/cert.pem"
export MINIO_AUDIT_WEBHOOK_CLIENT_KEY_SECONDARY="/tmp/key.pem"

export MINIO_AUDIT_WEBHOOK_ENABLE_SECONDARY="on"
export MINIO_AUDIT_WEBHOOK_AUTH_TOKEN_SECONDARY="TOKEN"
export MINIO_AUDIT_WEBHOOK_ENDPOINT_SECONDARY="http://webhook-1.example.net"
export MINIO_AUDIT_WEBHOOK_CLIENT_CERT_SECONDARY="/tmp/cert.pem"
export MINIO_AUDIT_WEBHOOK_CLIENT_KEY_SECONDARY="/tmp/key.pem"

MINIO_AUDIT_WEBHOOK_ENABLE

Specify "on" to enable publishing audit logs to the HTTP webhook endpoint.

Requires specifying MINIO_AUDIT_WEBHOOK_ENDPOINT.

This environment variable corresponds with top-level audit_webhook configuration setting.

MINIO_AUDIT_WEBHOOK_ENDPOINT

The HTTP endpoint of the webhook.

This environment variable corresponds with the audit_webhook endpoint configuration setting.

MINIO_AUDIT_WEBHOOK_AUTH_TOKEN

Optional

The JSON Web Token (JWT) to use for authenticating to the HTTP webhook. Omit for webhooks which do not enforce authentication.

This environment variable corresponds with the audit_webhook auth_token configuration setting.

MINIO_AUDIT_WEBHOOK_CLIENT_CERT

Optional

The x.509 client certificate to present to the HTTP webhook. Omit for webhooks which do not require clients to present a known TLS certificate.

Requires specifying MINIO_AUDIT_WEBHOOK_CLIENT_KEY.

This environment variable corresponds with the audit_webhook client_cert configuration setting.

MINIO_AUDIT_WEBHOOK_CLIENT_KEY

Optional

The x.509 private key to present to the HTTP webhook. Omit for webhooks which do not require clients to present a known TLS certificate.

Requires specifying MINIO_AUDIT_WEBHOOK_CLIENT_CERT.

This environment variable corresponds with the audit_webhook client_key configuration setting.

MINIO_AUDIT_WEBHOOK_QUEUE_DIR

New in version RELEASE.2023-05-18T00-05-36Z.

Optional

MinIO stores undelivered events in the specified store while the webhook service is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the audit_webhook queue_dir configuration setting.

MINIO_AUDIT_WEBHOOK_QUEUE_SIZE

Optional

An integer value to use for the queue size for audit webhook targets.

This environment variable corresponds with the audit_webhook queue_size configuration setting.

Kafka Audit Logs

The following section documents environment variables for configuring MinIO to publish audit logs to a Kafka broker.

MINIO_AUDIT_KAFKA_ENABLE

Required

Set to "on" to enable the target.

Set to "off" to disable the target.

MINIO_AUDIT_KAFKA_BROKERS

Required

A comma-separated list of Kafka broker addresses:

brokers="https://kafka-1.example.net:9092,https://kafka-2.example.net:9092"

At least one broker must be online and reachable by the MinIO server to initialize and send audit log events. MinIO checks each specified broker in order of specification.

This environment variable corresponds with the audit_kafka.brokers configuration setting.

MINIO_AUDIT_KAFKA_TOPIC

Required

The name of the Kafka topic to associate to MinIO audit log events.

This environment variable corresponds with the audit_kafka.topic configuration setting.

MINIO_AUDIT_KAFKA_TLS

Optional

Set to "on" to enable TLS connectivity to the specified Kafka brokers.

Defaults to "off".

This environment variable corresponds with the audit_kafka.tls configuration setting.

MINIO_AUDIT_KAFKA_TLS_SKIP_VERIFY

Optional

Set to "on" to direct MinIO to skip verification of the Kafka broker TLS certificates.

You can use this option for enabling connectivity to Kafka brokers using TLS certificates signed by unknown parties, such as self-signed or corporate-internal Certificate Authorities (CA).

MinIO by default uses the system trust store and the contents of the MinIO CA directory for verifying remote client TLS certificates.

Defaults to "off" for strict verification of TLS certificates.

This environment variable corresponds with the audit_kafka.tls_skip_verify configuration setting.

MINIO_AUDIT_KAFKA_SASL

Optional

Set to "on" to direct MinIO to use SASL to authenticate against the Kafka brokers.

Requires specifying MINIO_AUDIT_KAFKA_SASL_USERNAME and MINIO_AUDIT_KAFKA_SASL_PASSWORD.

This environment variable corresponds with the audit_kafka.sasl configuration setting.

MINIO_AUDIT_KAFKA_SASL_USERNAME

Optional

The SASL username MinIO uses for authentication against the Kafka brokers.

This environment variable corresponds with the audit_kafka.sasl_username configuration setting.

MINIO_AUDIT_KAFKA_SASL_PASSWORD

Optional

The SASL password MinIO uses for authentication against the Kafka brokers.

This environment variable corresponds with the audit_kafka.sasl_password configuration setting.

MINIO_AUDIT_KAFKA_SASL_MECHANISM

Optional

The SASL mechanism MinIO uses for authentication against the Kafka brokers.

Defaults to plain.

Important

The PLAIN authentication mechanism sends credentials in plain text over the network. Use MINIO_AUDIT_KAFKA_TLS to enable TLS connectivity to the Kafka brokers and ensure secure transmission of SASL credentials.

This environment variable corresponds with the audit_kafka.sasl_mechanism configuration setting.

MINIO_AUDIT_KAFKA_TLS_CLIENT_AUTH

Optional

Set to "on" to direct MinIO to use mTLS to authenticate against the Kafka brokers.

Requires specifying MINIO_AUDIT_KAFKA_CLIENT_TLS_CERT and MINIO_AUDIT_KAFKA_CLIENT_TLS_KEY.

This environment variable corresponds with the audit_kafka.tls_client_auth configuration setting.

MINIO_AUDIT_KAFKA_CLIENT_TLS_CERT

Optional

The path to the TLS client certificate to use for mTLS authentication.

This environment variable corresponds with the audit_kafka.client_tls_cert configuration setting.

MINIO_AUDIT_KAFKA_CLIENT_TLS_KEY

Optional

The path to the TLS client private key to use for mTLS authentication.

This environment variable corresponds with the audit_kafka.client_tls_key configuration setting.

MINIO_AUDIT_KAFKA_VERSION

Optional

The version of the Kafka broker MinIO expects at the specified endpoints.

MinIO returns an error if the Kakfa broker verison does not match those specified to this setting.

This environment variable corresponds with the audit_kafka.version configuration setting.

MINIO_AUDIT_KAFKA_COMMENT

Optional

A comment to associate with the configuration.

This environment variable corresponds with the audit_kafka.comment configuration setting.

MINIO_AUDIT_KAFKA_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the Kafka service is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the audit_kafka.queue_dir configuration setting.

MINIO_AUDIT_KAFKA_QUEUE_SIZE

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the audit_kafka.queue_size configuration setting.

Bucket Notifications

These environment variables configure notification targets for use with MinIO Bucket Notifications:

AMQP Service for Bucket Notifications
MQTT Service for Bucket Notifications
Elasticsearch Service for Bucket Notifications
NSQ Service for Bucket Notifications
Redis Service for Bucket Notifications
NATS Service for Bucket Notifications
PostgreSQL Service for Bucket Notifications
MySQL Service for Bucket Notifications
Kafka Service for Bucket Notifications
Webhook Service for Bucket Notifications

MINIO_API_SYNC_EVENTS

Optional

Enables synchronous bucket notifications.

Specify on to direct MinIO to wait until the remote target returns success on receipt of an event before processing further events.

Defaults to off, or asynchronous bucket notifications where MinIO does not wait for the remote target to return success on receipt of an event.

This environment variable corresponds with the sync_events configuration setting.

AMQP Service for Bucket Notifications

The following section documents environment variables for configuring an AMQP service as a target for Bucket Nofitications. See Publish Events to AMQP (RabbitMQ) for a tutorial on using these environment variables.

You can specify multiple AMQP service endpoints by appending a unique identifier _ID for each set of related AMQP environment variables: the top level key. For example, the following commands set two distinct AMQP service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_AMQP_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_AMQP_URL_PRIMARY="amqp://user:password@amqp-endpoint.example.net:5672"

set MINIO_NOTIFY_AMQP_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_AMQP_URL_SECONDARY="amqp://user:password@amqp-endpoint.example.net:5672"

For example, MINIO_NOTIFY_AMQP_ENABLE_PRIMARY indicates the environment variable is associated to an AMQP service endpoint with ID of PRIMARY.

MINIO_NOTIFY_AMQP_ENABLE

Specify on to enable publishing bucket notifications to an AMQP endpoint.

Defaults to off.

Requires specifying MINIO_NOTIFY_AMQP_URL if set to on.

MINIO_NOTIFY_AMQP_URL

Specify the AMQP server endpoint to which MinIO publishes bucket events. For example, amqp://myuser:mypassword@localhost:5672.

This field is required if MINIO_NOTIFY_AMQP_ENABLE is on. All other AMQP-related variables are optional.

This environment variable corresponds with the notify_amqp url configuration setting.

Changed in version RELEASE.2023-05-27T05-56-19Z: MinIO checks the health of the specified URL (if it is resolvable and reachable) prior to adding the target. MinIO no longer blocks adding new notification targets if existing targets are offline.

MINIO_NOTIFY_AMQP_EXCHANGE

Specify the name of the AMQP exchange to use.

This environment variable corresponds with the notify_amqp exchange configuration setting.

MINIO_NOTIFY_AMQP_EXCHANGE_TYPE

Specify the type of the AMQP exchange.

This environment variable corresponds with the notify_amqp exchange_type configuration setting.

MINIO_NOTIFY_AMQP_ROUTING_KEY

Specify the routing key for publishing events.

This environment variable corresponds with the notify_amqp routing_key configuration setting.

MINIO_NOTIFY_AMQP_MANDATORY

Specify off to ignore undelivered messages errors. Defaults to on.

This environment variable corresponds with the notify_amqp mandatory configuration setting.

MINIO_NOTIFY_AMQP_DURABLE

Specify on to persist the message queue across broker restarts. Defaults to ‘off’.

This environment variable corresponds with the notify_amqp durable configuration setting.

MINIO_NOTIFY_AMQP_NO_WAIT

Specify on to enable non-blocking message delivery. Defaults to ‘off’.

This environment variable corresponds with the notify_amqp no_wait configuration setting.

MINIO_NOTIFY_AMQP_INTERNAL

Specify on to use the exchange only if it is bound to other exchanges. See the RabbitMQ documentation on Exchange to Exchange Bindings for more information on AMQP exchange binding.

This environment variable corresponds with the notify_amqp internal configuration setting.

MINIO_NOTIFY_AMQP_AUTO_DELETED

Specify on to automatically delete the message queue if there are no consumers. Defaults to off.

This environment variable corresponds with the notify_amqp auto_deleted configuration setting.

MINIO_NOTIFY_AMQP_DELIVERY_MODE

Specify 1 for set the delivery mode to non-persistent queue.

Specify 2 to set the delivery mode to persistent queue.

This environment variable corresponds with the notify_amqp delivery_mode configuration setting.

MINIO_NOTIFY_AMQP_QUEUE_DIR

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the AMQP service is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_amqp queue_dir configuration setting.

MINIO_NOTIFY_AMQP_QUEUE_LIMIT

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_amqp queue_limit configuration setting.

MINIO_NOTIFY_AMQP_COMMENT

Specify a comment for the AMQP configuration.

This environment variable corresponds with the notify_amqp comment configuration setting.

MQTT Service for Bucket Notifications

The following section documents environment variables for configuring an MQTT service as a target for Bucket Nofitications. See Publish Events to MQTT for a tutorial on using these environment variables.

You can specify multiple MQTT service endpoints by appending a unique identifier _ID for each set of related MQTT environment variables: the top level key. For example, the following commands set two distinct MQTT service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_MQTT_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_MQTT_BROKER_PRIMARY="tcp://user:password@mqtt-endpoint.example.net:1883"

set MINIO_NOTIFY_MQTT_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_MQTT_BROKER_SECONDARY="tcp://user:password@mqtt-endpoint.example.net:1883"

For example, MINIO_NOTIFY_MQTT_ENABLE_PRIMARY indicates the environment variable is associated to an MQTT service endpoint with ID of PRIMARY.

MINIO_NOTIFY_MQTT_ENABLE

Specify on to enable publishing bucket notifications to an MQTT endpoint.

Defaults to off.

This environment variable corresponds with the notify_mqtt configuration setting.

MINIO_NOTIFY_MQTT_BROKER

Required

Specify the MQTT server/broker endpoint. MinIO supports TCP, TLS, or Websocket connections to the server/broker URL. For example:

tcp://mqtt.example.net:1883
tls://mqtt.example.net:1883
ws://mqtt.example.net:1883

This environment variable corresponds with the notify_mqtt broker configuration setting.

MINIO_NOTIFY_MQTT_TOPIC

Required

Specify the name of the MQTT topic to associate with events published by MinIO to the MQTT endpoint.

This environment variable corresponds with the notify_mqtt topic configuration setting.

MINIO_NOTIFY_MQTT_USERNAME

Required if the MQTT server/broker enforces authentication/authorization

Specify the MQTT username with which MinIO authenticates to the MQTT server/broker.

This environment variable corresponds with the notify_mqtt username configuration setting.

MINIO_NOTIFY_MQTT_PASSWORD

Required if the MQTT server/broker enforces authentication/authorization

Specify the password for the MQTT username with which MinIO authenticates to the MQTT server/broker.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the notify_mqtt password configuration setting.

MINIO_NOTIFY_MQTT_QOS

Specify the Quality of Service priority for the published events.

Defaults to 0.

This environment variable corresponds with the notify_mqtt qos configuration setting.

MINIO_NOTIFY_MQTT_KEEP_ALIVE_INTERVAL

Specify the keep-alive interval for the MQTT connections. MinIO supports the following units of time measurement:

s - seconds, “60s”
m - minutes, “60m”
h - hours, “24h”
d - days, “7d”

This environment variable corresponds with the notify_mqtt keep_alive_interval configuration setting.

MINIO_NOTIFY_MQTT_RECONNECT_INTERVAL

Specify the reconnect interval for the MQTT connections. MinIO supports the following units of time measurement:

s - seconds, “60s”
m - minutes, “60m”
h - hours, “24h”
d - days, “7d”

This environment variable corresponds with the notify_mqtt reconnect_interval configuration setting.

MINIO_NOTIFY_MQTT_QUEUE_DIR

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the MQTT server/broker is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_mqtt queue_dir configuration setting.

MINIO_NOTIFY_MQTT_QUEUE_LIMIT

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_mqtt queue_limit configuration setting.

MINIO_NOTIFY_MQTT_COMMENT

Specify a comment to associate with the MQTT configuration.

This environment variable corresponds with the notify_mqtt comment configuration setting.

Elasticsearch Service for Bucket Notifications

The following section documents environment variables for configuring an Elasticsearch service as a target for Bucket Nofitications. See Publish Events to Elasticsearch for a tutorial on using these environment variables.

You can specify multiple Elasticsearch service endpoints by appending a unique identifier _ID for each set of related Elasticsearch environment variables: the top level key. For example, the following commands set two distinct Elasticsearch service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_ELASTICSEARCH_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_ELASTICSEARCH_URL_PRIMARY="https://user:password@elasticsearch-endpoint.example.net:9200"
set MINIO_NOTIFY_ELASTICSEARCH_INDEX_PRIMARY="bucketevents"
set MINIO_NOTIFY_ELASTICSEARCH_FORMAT_PRIMARY="namespace"

set MINIO_NOTIFY_ELASTICSEARCH_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_ELASTICSEARCH_URL_SECONDARY="https://user:password@elasticsearch-endpoint.example.net:9200"
set MINIO_NOTIFY_ELASTICSEARCH_INDEX_SECONDARY="bucketevents"
set MINIO_NOTIFY_ELASTICSEARCH_FORMAT_SECONDARY="namespace"

MINIO_NOTIFY_ELASTICSEARCH_ENABLE

Specify on to enable publishing bucket notifications to an Elasticsearch service endpoint.

Defaults to off.

Requires specifying the following additional environment variables if set to on:

MINIO_NOTIFY_ELASTICSEARCH_URL
MINIO_NOTIFY_ELASTICSEARCH_INDEX
MINIO_NOTIFY_ELASTICSEARCH_FORMAT

This environment variable corresponds with the notify_elasticsearch configuration setting.

MINIO_NOTIFY_ELASTICSEARCH_URL

Required

Specify the Elasticsearch service endpoint to which MinIO publishes bucket events. For example, https://elasticsearch.example.com:9200.

MinIO supports passing authentication information using as URL parameters using the format PROTOCOL://USERNAME:PASSWORD@HOSTNAME:PORT.

This environment variable corresponds with the notify_elasticsearch url configuration setting.

MINIO_NOTIFY_ELASTICSEARCH_INDEX

Required

Specify the name of the Elasticsearch index in which to store or update MinIO bucket events. Elasticsearch automatically creates the index if it does not exist.

This environment variable corresponds with the notify_elasticsearch index configuration setting.

MINIO_NOTIFY_ELASTICSEARCH_FORMAT

Required

Specify the format of event data written to the Elasticsearch index. MinIO supports the following values:

namespace: For each bucket event, the MinIO creates a JSON document with the bucket and object name from the event as the document ID and the actual event as part of the document body. Additional updates to that object modify the existing index entry for that object. Similarly, deleting the object also deletes the corresponding index entry.
access: For each bucket event, MinIO creates a JSON document with the event details and appends it to the index with an Elasticsearch-generated random ID. Additional updates to an object result in new index entries, and existing entries remain unmodified.

This environment variable corresponds with the notify_elasticsearch format configuration setting.

MINIO_NOTIFY_ELASTICSEARCH_USERNAME

Optional

The username for connecting to an Elasticsearch service endpoint which enforces authentication.

This environment variable corresponds with the notify_elasticsearch username configuration setting.

MINIO_NOTIFY_ELASTICSEARCH_PASSWORD

Optional

The password for connecting to an Elasticsearch service endpoint which enforces authentication.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the notify_elasticsearch password configuration setting.

MINIO_NOTIFY_ELASTICSEARCH_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the Elasticsearch service is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_elasticsearch queue_dir configuration setting.

MINIO_NOTIFY_ELASTICSEARCH_QUEUE_LIMIT

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_elasticsearch queue_limit configuration setting.

MINIO_NOTIFY_ELASTICSEARCH_COMMENT

Optional

Specify a comment to associate with the Elasticsearch configuration.

This environment variable corresponds with the notify_elasticsearch comment configuration setting.

NSQ Service for Bucket Notifications

The following section documents environment variables for configuring an NSQ service as a target for Bucket Nofitications. See Publish Events to NSQ for a tutorial on using these environment variables.

You can specify multiple NSQ service endpoints by appending a unique identifier _ID for each set of related NSQ environment variables: the top level key. For example, the following commands set two distinct NSQ service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_NSQ_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_NSQ_NSQD_ADDRESS_PRIMARY="https://user:password@nsq-endpoint.example.net:9200"
set MINIO_NOTIFY_NSQ_TOPIC_PRIMARY="bucketevents"

set MINIO_NOTIFY_NSQ_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_NSQ_NSQD_ADDRESS_SECONDARY="https://user:password@nsq-endpoint.example.net:9200"
set MINIO_NOTIFY_NSQ_TOPIC_SECONDARY="bucketevents"

MINIO_NOTIFY_NSQ_ENABLE

Specify on to enable publishing bucket notifications to an NSQ endpoint.

This environment variable corresponds with the notify_nsq configuration setting.

MINIO_NOTIFY_NSQ_NSQD_ADDRESS

Required

Specify the NSQ server address. For example:

https://nsq-endpoing.example.net:4150

This environment variable corresponds with the notify_nsq nsqd_address configuration setting.

MINIO_NOTIFY_NSQ_TOPIC

Required

Specify the name of the NSQ topic MinIO uses when publishing events to the broker.

This environment variable corresponds with the notify_nsq topic configuration setting.

MINIO_NOTIFY_NSQ_TLS

Optional

Specify on to enable TLS connectivity to the NSQ service broker.

This environment variable corresponds with the notify_nsq tls configuration setting.

MINIO_NOTIFY_NSQ_TLS_SKIP_VERIFY

Optional

Enables or disables TLS verification of the NSQ service broker TLS certificates.

Specify on to disable TLS verification (Default).
Specify off to enable TLS verification.

This environment variable corresponds with the notify_nsq tls_skip_verify configuration setting.

MINIO_NOTIFY_NSQ_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the NSQ server/broker is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_nsq queue_dir configuration setting.

MINIO_NOTIFY_NSQ_QUEUE_LIMIT

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_nsq queue_limit configuration setting.

MINIO_NOTIFY_NSQ_COMMENT

Optional

Specify a comment to associate with the NSQ configuration.

This environment variable corresponds with the notify_nsq comment configuration setting.

Redis Service for Bucket Notifications

The following section documents environment variables for configuring an Redis service as a target for Bucket Nofitications. See Publish Events to Redis for a tutorial on using these environment variables.

You can specify multiple Redis service endpoints by appending a unique identifier _ID for each set of related Redis environment variables: the top level key. For example, the following commands set two distinct Redis service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_REDIS_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_REDIS_REDIS_ADDRESS_PRIMARY="https://user:password@redis-endpoint.example.net:9200"
set MINIO_NOTIFY_REDIS_KEY_PRIMARY="bucketevents"
set MINIO_NOTIFY_REDIS_FORMAT_PRIMARY="namespace"


set MINIO_NOTIFY_REDIS_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_REDIS_REDIS_ADDRESS_SECONDARY="https://user:password@redis-endpoint.example.net:9200"
set MINIO_NOTIFY_REDIS_KEY_SECONDARY="bucketevents"
set MINIO_NOTIFY_REDIS_FORMAT_SECONDARY="namespace"

MINIO_NOTIFY_REDIS_ENABLE

Required

Specify on to enable publishing bucket notifications to a Redis service endpoint.

Defaults to off.

Requires specifying the following additional environment variables if set to on:

MINIO_NOTIFY_REDIS_ADDRESS
MINIO_NOTIFY_REDIS_KEY
MINIO_NOTIFY_REDIS_FORMAT

This environment variable corresponds with the notify_redis configuration setting.

MINIO_NOTIFY_REDIS_ADDRESS

Required

Specify the Redis service endpoint to which MinIO publishes bucket events. For example, https://redis.example.com:6369.

This environment variable corresponds with the notify_redis address configuration setting.

MINIO_NOTIFY_REDIS_KEY

Required

Specify the Redis key to use for storing and updating events. Redis auto-creates the key if it does not exist.

This environment variable corresponds with the notify_redis key configuration setting.

MINIO_NOTIFY_REDIS_FORMAT

Required

Specify the format of event data written to the Redis service endpoint. MinIO supports the following values:

namespace: For each bucket event, the MinIO creates a JSON document with the bucket and object name from the event as the document ID and the actual event as part of the document body. Additional updates to that object modify the existing index entry for that object. Similarly, deleting the object also deletes the corresponding index entry.
access: For each bucket event, MinIO creates a JSON document with the event details and appends it to the key with a Redis-generated random ID. Additional updates to an object result in new index entries, and existing entries remain unmodified.

This environment variable corresponds with the notify_redis format configuration setting.

MINIO_NOTIFY_REDIS_PASSWORD

Optional

Specify the password for the Redis server.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the notify_redis password configuration setting.

MINIO_NOTIFY_REDIS_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the Redis server/broker is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_redis queue_dir configuration setting.

MINIO_NOTIFY_REDIS_QUEUE_LIMIT

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_redis queue_limit configuration setting.

MINIO_NOTIFY_REDIS_COMMENT

Optional

Specify a comment to associate with the Redis configuration.

This environment variable corresponds with the notify_redis comment configuration setting.

NATS Service for Bucket Notifications

NATS Streaming Deprecated

NATS Streaming is deprecated. Migrate to JetStream instead.

The related MinIO configuration options and environment variables are deprecated.

The following section documents environment variables for configuring an NATS service as a target for Bucket Nofitications. See Publish Events to NATS for a tutorial on using these environment variables.

You can specify multiple NATS service endpoints by appending a unique identifier _ID for each set of related NATS environment variables no to the top level key. For example, the following commands set two distinct NATS service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_NATS_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_NATS_ADDRESS_PRIMARY="https://nats-endpoint.example.net:4222"

set MINIO_NOTIFY_NATS_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_NATS_ADDRESS_SECONDARY="https://nats-endpoint.example.net:4222"

For example, MINIO_NOTIFY_NATS_ENABLE_PRIMARY indicates the environment variable is associated to an NATS service endpoint with ID of PRIMARY.

MINIO_NOTIFY_NATS_ENABLE

Required

Specify on to enable publishing bucket notifications to an NATS service endpoint.

Defaults to off.

This environment variable corresponds with the notify_nats configuration setting.

MINIO_NOTIFY_NATS_ADDRESS

Required

Specify the NATS service endpoint to which MinIO publishes bucket events. For example, https://nats-endpoint.example.com:4222.

This environment variable corresponds with the notify_nats address configuration setting.

MINIO_NOTIFY_NATS_SUBJECT

Required

Specify the subscription to which MinIO associates events published to the NATS endpoint.

This environment variable corresponds with the notify_nats subject configuration setting.

MINIO_NOTIFY_NATS_USERNAME

Optional

Specify the username for connecting to the NATS service endpoint.

This environment variable corresponds with the notify_nats username configuration setting.

MINIO_NOTIFY_NATS_PASSWORD

Optional

Specify the passport for connecting to the NATS service endpoint.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the notify_nats password configuration setting.

MINIO_NOTIFY_NATS_TOKEN

Optional

Specify the token for connecting to the NATS service endpoint.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the notify_nats token configuration setting.

MINIO_NOTIFY_NATS_TLS

Optional

Specify on to enable TLS connectivity to the NATS service endpoint.

This environment variable corresponds with the notify_nats tls configuration setting.

MINIO_NOTIFY_NATS_TLS_SKIP_VERIFY

Optional

Enables or disables TLS verification of the NATS service endpoint TLS certificates.

Specify on to disable TLS verification (Default).
Specify off to enable TLS verification.

This environment variable corresponds with the notify_nats tls_skip_verify configuration setting.

MINIO_NOTIFY_NATS_PING_INTERVAL

Optional

Specify the duration interval for client pings to the NATS server. MinIO supports the following time units:

s - seconds, "60s"
m - minutes, "5m"
h - hours, "1h"
d - days, "1d"

This environment variable corresponds with the notify_nats ping_interval configuration setting.

MINIO_NOTIFY_NATS_JETSTREAM

Optional

Specify on to enable asynchronous publishing of events to the NATS service endpoint.

This environment variable corresponds with the notify_nats jetstream configuration setting.

MINIO_NOTIFY_NATS_STREAMING

Deprecated

Optional

Specify on to enable JetStream support for streaming events to a NATS JetStream service endpoint.

This environment variable corresponds with the notify_nats streaming configuration setting.

MINIO_NOTIFY_NATS_STREAMING_ASYNC

Deprecated

Optional

Specify on to enable asynchronous publishing of events to the NATS service endpoint.

This environment variable corresponds with the notify_nats streaming_async configuration setting.

MINIO_NOTIFY_NATS_STREAMING_MAX_PUB_ACKS_IN_FLIGHT

Deprecated

Optional

Specify the number of messages to publish without waiting for an ACK response from the NATS service endpoint.

This environment variable corresponds with the notify_nats streaming_max_pub_acks_in_flight configuration setting.

MINIO_NOTIFY_NATS_STREAMING_CLUSTER_ID

Deprecated

Optional

Specify the unique ID for the NATS streaming cluster.

This environment variable corresponds with the notify_nats streaming_cluster_id configuration setting.

MINIO_NOTIFY_NATS_CERT_AUTHORITY

Optional

Specify the path to the Certificate Authority chain used to sign the NATS service endpoint TLS certificates.

This environment variable corresponds with the notify_nats cert_authority configuration setting.

MINIO_NOTIFY_NATS_CLIENT_CERT

Optional

Specify the path to the client certificate to use for performing mTLS authentication to the NATS service endpoint.

This environment variable corresponds with the notify_nats client_cert configuration setting.

MINIO_NOTIFY_NATS_CLIENT_KEY

Optional

Specify the path to the client private key to use for performing mTLS authentication to the NATS service endpoint.

This environment variable corresponds with the notify_nats client_key configuration setting.

MINIO_NOTIFY_NATS_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the NATS server/broker is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_nats queue_dir configuration setting.

MINIO_NOTIFY_NATS_QUEUE_LIMIT

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_nats queue_limit configuration setting.

MINIO_NOTIFY_NATS_COMMENT

Optional

Specify a comment to associate with the NATS configuration.

This environment variable corresponds with the notify_nats comment configuration setting.

PostgreSQL Service for Bucket Notifications

The following section documents environment variables for configuring an POSTGRES service as a target for Bucket Nofitications. See Publish Events to PostgreSQL for a tutorial on using these environment variables.

You can specify multiple PostgreSQL service endpoints by appending a unique identifier _ID for each set of related PostgreSQL environment variables: the top level key. For example, the following commands set two distinct PostgreSQL service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_POSTGRES_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_POSTGRES_CONNECTION_STRING_PRIMARY="host=postgresql-endpoint.example.net port=4222..."
set MINIO_NOTIFY_POSTGRES_TABLE_PRIMARY="minioevents"
set MINIO_NOTIFY_POSTGRES_FORMAT_PRIMARY="namespace"

set MINIO_NOTIFY_POSTGRES_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_POSTGRES_CONNECTION_STRING_SECONDARY="host=postgresql-endpoint.example.net port=4222..."
set MINIO_NOTIFY_POSTGRES_TABLE_SECONDARY="minioevents"
set MINIO_NOTIFY_POSTGRES_FORMAT_SECONDARY="namespace"

For example, MINIO_NOTIFY_POSTGRES_ENABLE_PRIMARY indicates the environment variable is associated to an PostgreSQL service endpoint with ID of PRIMARY.

MINIO_NOTIFY_POSTGRES_ENABLE

Required

Specify on to enable publishing bucket notifications to a PostgreSQL service endpoint.

Defaults to off.

Requires specifying the following additional environment variables if set to on:

MINIO_NOTIFY_POSTGRES_CONNECTION_STRING
MINIO_NOTIFY_POSTGRES_TABLE
MINIO_NOTIFY_POSTGRES_FORMAT

This environment variable corresponds with the notify_postgres configuration setting.

MINIO_NOTIFY_POSTGRES_CONNECTION_STRING

Required

Specify the URI connection string of the PostgreSQL service endpoint. MinIO supports key=value format for the PostgreSQL connection string. For example:

"host=https://postgresql.example.com port=5432 ..."

For more complete documentation on supported PostgreSQL connection string parameters, see the PostgreSQL COnnection Strings documentation .

This environment variable corresponds with the notify_postgres connection_string configuration setting.

MINIO_NOTIFY_POSTGRES_TABLE

Required

Specify the name of the PostgreSQL table to which MinIO publishes event notifications.

This environment variable corresponds with the notify_postgres table configuration setting.

MINIO_NOTIFY_POSTGRES_FORMAT

Required

Specify the format of event data written to the PostgreSQL service endpoint. MinIO supports the following values:

namespace: For each bucket event, the MinIO creates a JSON document with the bucket and object name from the event as the document ID and the actual event as part of the document body. Additional updates to that object modify the existing table entry for that object. Similarly, deleting the object also deletes the corresponding table entry.
access: For each bucket event, MinIO creates a JSON document with the event details and appends it to the table with a PostgreSQL-generated random ID. Additional updates to an object result in new index entries, and existing entries remain unmodified.

This environment variable corresponds with the notify_postgres format configuration setting.

MINIO_NOTIFY_POSTGRES_MAX_OPEN_CONNECTIONS

Optional

Specify the maximum number of open connections to the PostgreSQL database.

Defaults to 2.

This environment variable corresponds with the notify_postgres max_open_connections configuration setting.

MINIO_NOTIFY_POSTGRES_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the PostgreSQL server/broker is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_postgres queue_dir configuration setting.

MINIO_NOTIFY_POSTGRES_QUEUE_LIMIT

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_postgres queue_limit configuration setting.

MINIO_NOTIFY_POSTGRES_COMMENT

Optional

Specify a comment to associate with the PostgreSQL configuration.

This environment variable corresponds with the notify_postgres comment configuration setting.

MySQL Service for Bucket Notifications

The following section documents environment variables for configuring an MYSQL service as a target for Bucket Nofitications. See Publish Events to MySQL for a tutorial on using these environment variables.

You can specify multiple MySQL service endpoints by appending a unique identifier _ID for each set of related MySQL environment variables: the top level key. For example, the following commands set two distinct MySQL service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_MYSQL_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_MYSQL_DSN_STRING_PRIMARY="username:password@tcp(mysql.example.com:3306)/miniodb"
set MINIO_NOTIFY_MYSQL_TABLE_PRIMARY="minioevents"
set MINIO_NOTIFY_MYSQL_FORMAT_PRIMARY="namespace"

set MINIO_NOTIFY_MYSQL_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_MYSQL_DSN_STRING_SECONDARY="username:password@tcp(mysql.example.com:3306)/miniodb"
set MINIO_NOTIFY_MYSQL_TABLE_SECONDARY="minioevents"
set MINIO_NOTIFY_MYSQL_FORMAT_SECONDARY="namespace"

For example, MINIO_NOTIFY_MYSQL_ENABLE_PRIMARY indicates the environment variable is associated to an MySQL service endpoint with ID of PRIMARY.

MINIO_NOTIFY_MYSQL_ENABLE

Required

Specify on to enable publishing bucket notifications to a MySQL service endpoint.

Defaults to off.

Requires specifying the following additional environment variables if set to on:

MINIO_NOTIFY_MYSQL_DSN_STRING
MINIO_NOTIFY_MYSQL_TABLE
MINIO_NOTIFY_MYSQL_FORMAT

This environment variable corresponds with the notify_mysql configuration setting.

MINIO_NOTIFY_MYSQL_DSN_STRING

Required

Specify the data source name (DSN) connection string for the MySQL service endpoint. MinIO expects the following format:

<user>:<password>@tcp(<host>:<port>)/<database>

For example:

"username:password@tcp(mysql.example.com:3306)/miniodb"

This environment variable corresponds with the notify_mysql dsn_string configuration setting.

MINIO_NOTIFY_MYSQL_TABLE

Required

Specify the name of the MySQL table to which MinIO publishes event notifications.

This environment variable corresponds with the notify_mysql table configuration setting.

MINIO_NOTIFY_MYSQL_FORMAT

Required

Specify the format of event data written to the MySQL service endpoint. MinIO supports the following values:

namespace: For each bucket event, the MinIO creates a JSON document with the bucket and object name from the event as the document ID and the actual event as part of the document body. Additional updates to that object modify the existing table entry for that object. Similarly, deleting the object also deletes the corresponding table entry.
access: For each bucket event, MinIO creates a JSON document with the event details and appends it to the table with a MySQL-generated random ID. Additional updates to an object result in new index entries, and existing entries remain unmodified.

This environment variable corresponds with the notify_mysql format configuration setting.

MINIO_NOTIFY_MYSQL_MAX_OPEN_CONNECTIONS

Optional

Specify the maximum number of open connections to the MySQL database.

Defaults to 2.

This environment variable corresponds with the notify_mysql max_open_connections configuration setting.

MINIO_NOTIFY_MYSQL_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the MySQL server/broker is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_mysql queue_dir configuration setting.

MINIO_NOTIFY_MYSQL_QUEUE_LIMIT

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_mysql queue_limit configuration setting.

MINIO_NOTIFY_MYSQL_COMMENT

Optional

Specify a comment to associate with the MySQL configuration.

This environment variable corresponds with the notify_mysql comment configuration setting.

Kafka Service for Bucket Notifications

The following section documents environment variables for configuring an Kafka service as a target for Bucket Nofitications. See Publish Events to Kafka for a tutorial on using these environment variables.

You can specify multiple Kafka service endpoints by appending a unique identifier _ID for each set of related Kafka environment variables: the top level key. For example, the following commands set two distinct Kafka service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_KAFKA_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_KAFKA_BROKERS_PRIMARY="https://kafka1.example.net:9200, https://kafka2.example.net:9200"

set MINIO_NOTIFY_KAFKA_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_KAFKA_BROKERS_SECONDARY="https://kafka1.example.net:9200, https://kafka2.example.net:9200"

MINIO_NOTIFY_KAFKA_ENABLE

Required

Specify on to enable publishing bucket notifications to a Kafka service endpoint.

Defaults to off.

MINIO_NOTIFY_KAFKA_BROKERS

Required

Specify a comma-separated list of Kafka broker addresses. For example:

"kafka1.example.com:2021,kafka2.example.com:2021"

This environment variable corresponds with the notify_kafka brokers configuration setting.

MINIO_NOTIFY_KAFKA_TOPIC

Optional

Specify the name of the Kafka topic to which MinIO publishes bucket events.

This environment variable corresponds with the notify_kafka topic configuration setting.

MINIO_NOTIFY_KAFKA_SASL

Optional

Specify on to enable SASL authentication.

This environment variable corresponds with the notify_kafka sasl configuration setting.

MINIO_NOTIFY_KAFKA_SASL_USERNAME

Optional

Specify the username for performing SASL/PLAIN or SASL/SCRAM authentication to the Kafka broker(s).

This environment variable corresponds with the notify_kafka sasl_username configuration setting.

MINIO_NOTIFY_KAFKA_SASL_PASSWORD

Optional

Specify the password for performing SASL/PLAIN or SASL/SCRAM authentication to the Kafka broker(s).

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the notify_kafka sasl_password configuration setting.

MINIO_NOTIFY_KAFKA_SASL_MECHANISM

Optional

Specify the SASL mechanism to use for authenticating to the Kafka broker(s). MinIO supports the following mechanisms:

PLAIN (Default)
SHA256
SHA512

This environment variable corresponds with the notify_kafka sasl_mechanism configuration setting.

MINIO_NOTIFY_KAFKA_TLS_CLIENT_AUTH

Optional

Specify the client authentication type of the Kafka broker(s). The following table lists the supported values and their mappings

Value	Authentication Type
0	`NoClientCert`
1	`RequestClientCert`
2	`RequireAnyClientCert`
3	`VerifyClientCertIfGiven`
4	`RequireAndVerifyClientCert`

See ClientAuthType for more information on each client auth type. ..

This environment variable corresponds with the notify_kafka tls_client_auth configuration setting.

MINIO_NOTIFY_KAFKA_TLS

Optional

Specify on to enable TLS connectivity to the Kafka broker(s)

This environment variable corresponds with the notify_kafka tls configuration setting.

MINIO_NOTIFY_KAFKA_TLS_SKIP_VERIFY

Optional

Enables or disables TLS verification of the NATS service endpoint TLS certificates.

Specify on to disable TLS verification (Default).
Specify off to enable TLS verification.

This environment variable corresponds with the notify_kafka tls_skip_verify configuration setting.

MINIO_NOTIFY_KAFKA_CLIENT_TLS_CERT

Optional

Specify the path to the client certificate to use for performing mTLS authentication to the Kafka broker(s).

This environment variable corresponds with the notify_kafka client_tls_cert configuration setting.

MINIO_NOTIFY_KAFKA_CLIENT_TLS_KEY

Optional

Specify the path to the client private key to use for performing mTLS authentication to the Kafka broker(s).

This environment variable corresponds with the notify_kafka client_tls_key configuration setting.

MINIO_NOTIFY_KAFKA_VERSION

Optional

Specify the version of the Kafka cluster to assume when performing operations against that cluster. See the sarama reference documentation for more information on this field’s behavior.

This environment variable corresponds with the notify_kafka version configuration setting.

MINIO_NOTIFY_KAFKA_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the Kafka server/broker is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_kafka queue_dir configuration setting.

MINIO_NOTIFY_KAFKA_QUEUE_LIMIT

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_kafka queue_limit configuration setting.

MINIO_NOTIFY_KAFKA_COMMENT

Optional

Specify a comment to associate with the Kafka configuration.

This environment variable corresponds with the notify_kafka comment configuration setting.

Webhook Service for Bucket Notifications

The following section documents environment variables for configuring an Webhook service as a target for Bucket Nofitications. See Publish Events to Webhook for a tutorial on using these environment variables.

You can specify multiple Webhook service endpoints by appending a unique identifier _ID for each set of related Webhook environment variables: the top level key. For example, the following commands set two distinct Webhook service endpoints as PRIMARY and SECONDARY respectively:

set MINIO_NOTIFY_WEBHOOK_ENABLE_PRIMARY="on"
set MINIO_NOTIFY_WEBHOOK_ENDPOINT_PRIMARY="https://webhook1.example.net"

set MINIO_NOTIFY_WEBHOOK_ENABLE_SECONDARY="on"
set MINIO_NOTIFY_WEBHOOK_ENDPOINT_SECONDARY="https://webhook1.example.net"

MINIO_NOTIFY_WEBHOOK_ENABLE

Required

Specify on to enable publishing bucket notifications to a Webhook service endpoint.

Defaults to off.

MINIO_NOTIFY_WEBHOOK_ENDPOINT

Required

Specify the URL for the webhook service.

This environment variable corresponds with the notify_webhook endpoint configuration setting.

MINIO_NOTIFY_WEBHOOK_AUTH_TOKEN

Required

Specify the opaque string or JWT authorization token to use for authenticating to the webhook service.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the notify_webhook auth_token configuration setting.

MINIO_NOTIFY_WEBHOOK_QUEUE_DIR

Optional

Specify the directory path to enable MinIO’s persistent event store for undelivered messages, such as /opt/minio/events.

MinIO stores undelivered events in the specified store while the webhook service is offline and replays the stored events when connectivity resumes.

This environment variable corresponds with the notify_webhook queue_dir configuration setting.

MINIO_NOTIFY_WEBHOOK_QUEUE_LIMIT

Optional

Specify the maximum limit for undelivered messages. Defaults to 100000.

This environment variable corresponds with the notify_webhook queue_limit configuration setting.

MINIO_NOTIFY_WEBHOOK_CLIENT_CERT

Optional

Specify the path to the client certificate to use for performing mTLS authentication to the webhook service.

This environment variable corresponds with the notify_webhook client_cert configuration setting.

MINIO_NOTIFY_WEBHOOK_CLIENT_KEY

Optional

Specify the path to the client private key to use for performing mTLS authentication to the webhook service.

This environment variable corresponds with the notify_webhook client_key configuration setting.

MINIO_NOTIFY_WEBHOOK_COMMENT

Optional

Specify a comment to associate with the Webhook configuration.

This environment variable corresponds with the notify_webhook comment configuration setting.

Object Lambda

The following section documents environment variables for configuring MinIO to publish data to an HTTP webhook endpoint and trigger an Object Lambda function. See Transforms with Object Lambda for more complete documentation and tutorials on using these environment variables.

You can specify multiple webhook endpoints as Lambda targets by appending a unique identifier _FUNCTIONNAME for each Object Lambda function. For example, the following command sets two distinct Object Lambda webhook endpoints:

export MINIO_LAMBDA_WEBHOOK_ENABLE_myfunction="on"
export MINIO_LAMBDA_WEBHOOK_ENDPOINT_myfunction="http://webhook-1.example.net"
export MINIO_LAMBDA_WEBHOOK_ENABLE_yourfunction="on"
export MINIO_LAMBDA_WEBHOOK_ENDPOINT_yourfunction="http://webhook-2.example.net"

MINIO_LAMBDA_WEBHOOK_ENABLE

Specify "on" to enable the Object Lambda webhook endpoint for a handler function.

Requires specifying MINIO_LAMBDA_WEBHOOK_ENDPOINT.

MINIO_LAMBDA_WEBHOOK_ENDPOINT: The HTTP endpoint of the lambda webhook for the handler function.

MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN: Specify the opaque string or JWT authorization token to use for authenticating to the lambda webhook service.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

MINIO_LAMBDA_WEBHOOK_CLIENT_CERT: Specify the path to the client certificate to use for performing mTLS authentication to the lambda webhook service.

MINIO_LAMBDA_WEBHOOK_CLIENT_KEY: Specify the path to the private key to use for performing mTLS authentication to the lambda webhook service.

Active Directory / LDAP Identity Management

The following section documents environment variables for enabling external identity management using an Active Directory or LDAP service. See Configure MinIO for Authentication using Active Directory / LDAP for a tutorial on using these variables.

MINIO_IDENTITY_LDAP_SERVER_ADDR

Required

Specify the hostname for the Active Directory / LDAP server. For example:

ldapserver.com:636

srv_record_name automatically identifies the port

If your AD/LDAP server uses DNS SRV Records, do not append the port number to your server_addr value. SRV requests automatically include port numbers when returning the list of available servers.

This environment variable corresponds with the mc idp ldap add server_addr parameter.

MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN

Required

Specify the Distinguished Name (DN) for an AD/LDAP account MinIO uses when querying the AD/LDAP server. Enables Lookup-Bind authentication to the AD/LDAP server.

The DN account should be a read-only access keys with sufficient privileges to support querying performing user and group lookups.

This environment variable corresponds with the mc idp ldap add lookup_bind_dn parameter.

MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD

Optional

Specify the password for the Lookup-Bind user account.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the lookup_bind_password parameter.

MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN

Optional

Specify the base Distinguished Name (DN) MinIO uses when querying for user credentials matching those provided by an authenticating client. For example:

cn=miniousers,dc=myldapserver,dc=net

Supports Lookup-Bind mode.

This environment variable corresponds with the user_dn_search_base_dn parameter.

MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER

Optional

Specify the AD/LDAP search filter MinIO uses when querying for user credentials matching those provided by an authenticating client.

Use the %s substitution character to insert the client-specified username into the search string. For example:

(userPrincipalName=%s)

This environment variable corresponds with the user_dn_search_filter parameter.

MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER

Optional

Specify an AD/LDAP search filter for performing group lookups for the authenticated user

Use the %s substitution character to insert the client-specified username into the search string. Use the %d substitution character to insert the Distinguished Name of the client-specified username into the search string.

For example:

(&(objectclass=groupOfNames)(memberUid=%s))

This environment variable corresponds with the group_search_filter parameter.

MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN

Optional

Specify a comma-separated list of group search base Distinguished Names MinIO uses when performing group lookups.

For example:

cn=miniogroups,dc=myldapserver,dc=net"

This environment variable corresponds with the group_search_base_dn parameter.

MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY

Optional

Specify on to trust the AD/LDAP server TLS certificates without verification. This option may be required if the AD/LDAP server TLS certificates are signed by an untrusted Certificate Authority (e.g. self-signed).

Defaults to off

This environment variable corresponds with the tls_skip_verify parameter.

MINIO_IDENTITY_LDAP_SERVER_INSECURE

Optional

Specify on to allow unsecured (non-TLS encrypted) connections to the AD/LDAP server.

MinIO sends AD/LDAP user credentials in plain text to the AD/LDAP server, such that enabling TLS is required to prevent reading credentials over the wire. Using this option presents a security risk where any user with access to network traffic can observe the unencrypted plaintext credentials.

Defaults to off.

This environment variable corresponds with the server_insecure parameter.

MINIO_IDENTITY_LDAP_SERVER_STARTTLS

Optional

Specify on to enable StartTLS connections to AD/LDAP server.

Defaults to off

This environment variable corresponds with the server_starttls parameter.

MINIO_IDENTITY_LDAP_SRV_RECORD_NAME

New in version RELEASE.2022-12-12T19-27-27Z.

Optional

Specify the appropriate value to enable MinIO to select an AD/LDAP server using a DNS SRV record request.

When enabled, MinIO selects an AD/LDAP server by:

Constructing the target SRV record name following standard naming conventions.
Requesting a list of available AD/LDAP servers.
Choosing an appropriate target based on priority and weight.

The configuration examples below presume the AD/LDAP server address is set to example.com and the SRV record protocol is _tcp.

For SRV record names beginning with _ldap, specify ldap. The constructed DNS SRV record name resembles the following:

_ldap._tcp.example.com

For SRV record names with beginning with _ldaps, specify ldaps. The constructed DNS SRV record name resembles the following:

_ldaps._tcp.example.com

If your DNS SRV record name uses alternate service or protocol names, specify on and provide the full record name as your LDAP server address. Example: _ldapserver._specialtcp.example.com

For more about DNS SRV records, see DNS SRV Records for LDAP.

Server address for DNS SRV record configurations

The specified server name must not include a port number. This is different from a standard AD/LDAP configuration, where the port number is required.

See server_addr or MINIO_IDENTITY_LDAP_SERVER_ADDR for more about configuring an AD/LDAP server address.

This environment variable corresponds with the srv_record_name parameter.

MINIO_IDENTITY_LDAP_COMMENT

Optional

Specify a comment to associate to the AD/LDAP configuration.

This environment variable corresponds with the comment parameter.

OpenID Identity Management

The following section documents environment variables for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. See OpenID Connect Access Management for a tutorial on using these variables.

MINIO_IDENTITY_OPENID_CONFIG_URL

Required

Specify the URL for the OIDC compatible provider discovery document.

The OIDC Discovery URL typically resembles the following:

https://openid-provider.example.net/.well-known/openid-configuration

This environment variable corresponds with the identity_openid config_url configuration setting.

MINIO_IDENTITY_OPENID_CLIENT_ID

Optional

Specify the unique public identifier MinIO uses when authenticating user credentials against the OIDC compatible provider.

This environment variable corresponds with the identity_openid client_id configuration setting.

MINIO_IDENTITY_OPENID_CLIENT_SECRET

Optional

Specify the client secret MinIO uses when authenticating user credentials against the OIDC compatible provider. This field may be optional depending on the provider.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

This environment variable corresponds with the identity_openid client_secret configuration setting.

MINIO_IDENTITY_OPENID_CLAIM_NAME

Optional

Specify the name of the JWT Claim MinIO uses to identify the policies to attach to the authenticated user.

The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.

Defaults to policy.

This environment variable corresponds with the identity_openid claim_name configuration setting.

MINIO_IDENTITY_OPENID_CLAIM_PREFIX

Optional

Specify the JWT Claim namespace prefix to apply to the specified claim name.

This environment variable corresponds with the identity_openid claim_prefix configuration setting.

MINIO_IDENTITY_OPENID_DISPLAY_NAME

Optional

Specify the user-facing name the MinIO Console displays on the login screen.

MINIO_IDENTITY_OPENID_SCOPES

Optional

Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.

This environment variable corresponds with the identity_openid scopes configuration setting.

MINIO_IDENTITY_OPENID_REDIRECT_URI

Optional

Important

This parameter was removed in https://github.com/minio/minio/releases/tag/RELEASE.2023-02-27T18-10-45Z. Use the MINIO_BROWSER_REDIRECT_URL environment variable instead.

The MinIO Console defaults to using the hostname of the node making the authentication request. For MinIO deployments behind a load balancer or reverse proxy, specify this field to ensure the OIDC provider returns the authentication response to the correct MinIO Console URL. Include the Console hostname, port, and /oauth_callback:

http://minio.example.net:consoleport/oauth_callback

Ensure you start the MinIO Server with the --console-address option to set a static Console listen port. The default behavior with that option omitted is to select a random port number at startup.

The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.

This environment variable corresponds with the identity_openid redirect_uri configuration setting.

MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC

Optional

The MinIO Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For MinIO deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different MinIO Node than the originating client.

Specify this option as on to direct the MinIO Console to use the Host header of the originating request to construct the redirect URI passed to the OIDC provider. Defaults to off.

This environment variable corresponds with the identity_openid redirect_uri_dynamic configuration setting.

MINIO_IDENTITY_OPENID_CLAIM_USERINFO

Optional

Specify the OpenID User info API endpoint for the OIDC service. For example, https://oidc-endpoint:port/realms/REALM/protocol/openid-connect/userinfo

Some OIDC providers do not provide group information as part of the JWT response after authentication. Specify this URL to direct MinIO to make an additional API call to construct the complete JWT token.

This environment variable corresponds with the identity_openid claim_userinfo configuration setting.

MINIO_IDENTITY_OPENID_VENDOR

Optional

Specify the OIDC Vendor to enable specific supported behaviors for that vendor.

Supports the following value:

keycloak

This environment variable corresponds with the identity_openid vendor configuration setting.

MINIO_IDENTITY_OPENID_KEYCLOAK_REALM

Optional

Specify the Keycloak Realm to use as part of Keycloak Admin API Operations, such as main.

This environment variable corresponds with the identity_openid keycloak_realm configuration setting.

Requires MINIO_IDENTITY_OPENID_VENDOR set to keycloak.

MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL

Optional

Specify the Keycloak Admin API URL. MinIO can use this URL if configured to periodically validate authenticated Keycloak users as active/existing. For example, https://keycloak-endpoint:port/admin/.

This environment variable corresponds with the identity_openid keycloak_admin_url configuration setting.

Requires MINIO_IDENTITY_OPENID_VENDOR set to keycloak.

MINIO_IDENTITY_OPENID_COMMENT

Optional

Specify a comment to associate with the OIDC compatible provider configuration.

This environment variable corresponds with the identity_openid comment configuration setting.

MinIO Identity Management Plugin

MINIO_IDENTITY_PLUGIN_URL

Required

The webhook endpoint for the external identity management service (https://authservice.example.net:8080/auth).

MINIO_IDENTITY_PLUGIN_ROLE_POLICY

Required

Specify a comma separated list of MinIO policies to assign to authenticated users.

MINIO_IDENTITY_PLUGIN_TOKEN

Optional

An authentication token to present to the configured webhook endpoint.

Specify a supported HTTP Authentication scheme as a string value, such as "Bearer TOKEN". MinIO sends the token using the HTTP Authorization header.

MINIO_IDENTITY_PLUGIN_ROLE_ID

Optional

Specify a unique ID MinIO uses to generate an ARN for this identity manager.

If omitted, MinIO automatically generates the ID and prints the full ARN to the server log.

MINIO_IDENTITY_PLUGIN_COMMENT

Optional

Specify a comment to associate to the identity configuration.

Batch Replication

MINIO_BATCH_REPLICATION_WORKERS

Optional

Enable parallel workers by specifying the maximum number of processes to use when performing the batch application job.

Data Compression

The following section documents settings for enabling data compression for objects. See Data Compression for tutorials on using these configuration settings.

MINIO_COMPRESSION_ALLOW_ENCRYPTION

Optional

Set to on to encrypt objects after compressing them. Defaults to off.

Encrypting compressed objects may compromise security

MinIO strongly recommends against encrypting compressed objects. If you require encryption, carefully evaluate the risk of potentially leaking information about the contents of encrypted objects.

This environment variable corresponds with the compression allow_encryption configuration setting.

MINIO_COMPRESSION_ENABLE

Optional

Set to on to enable data compression for new objects. Defaults to off.

Enabling or disabling data compression does not change existing objects.

This environment variable corresponds with the compression enable configuration setting.

MINIO_COMPRESSION_EXTENSIONS

Optional

Comma-separated list of the file extensions to compress. Setting a new list of file extensions replaces the previously configured list. Defaults to ".txt, .log, .csv, .json, .tar, .xml, .bin".

Default excluded files

Some types of files cannot be significantly reduced in size. MinIO will not compress these, even if specified in an extensions argument. See Excluded types for details.

This environment variable corresponds with the compression extensions configuration setting.

MINIO_COMPRESSION_MIME_TYPES

Optional

Comma-separated list of the MIME types to compress. Setting a new list of types replaces the previously configured list. Defaults to "text/*, application/json, application/xml, binary/octet-stream".

Default excluded files

Some types of files cannot be significantly reduced in size. MinIO will not compress these, even if specified in an mime_types argument. See Excluded types for details.

This environment variable corresponds with the compression mime_types configuration setting.