Fix MinIO Bucket Not Accessible

What's Actually Happening

MinIO object storage bucket cannot be accessed by clients. Access denied errors prevent reading, writing, or listing objects in the bucket.

The Error You'll See

Access denied:

```bash $ mc ls myminio/mybucket

mc: <ERROR> Unable to list folder. Access Denied for mybucket. ```

S3 API error:

```bash $ aws s3 ls s3://mybucket --endpoint-url http://minio:9000

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied. ```

Console error:

ERROR: Access Denied.
You do not have permission to perform this operation.

Why This Happens

1. 1.Bucket policy missing - No public or user access policy
2. 2.IAM policy insufficient - User lacks required permissions
3. 3.Wrong credentials - Invalid access key or secret key
4. 4.Bucket not created - Bucket doesn't exist
5. 5.Network connectivity - Cannot reach MinIO server
6. 6.SSL/TLS issues - Certificate problems with HTTPS

Step 1: Check MinIO Status

```bash # Check MinIO service: systemctl status minio

# Or for Docker: docker ps | grep minio

# Check MinIO health: curl http://minio:9000/minio/health/live

# Should return: 200 OK

# Check MinIO console: curl http://minio:9000/minio/health/ready

# Check MinIO logs: journalctl -u minio -n 50

# Or Docker logs: docker logs minio 50 ```

Step 2: Check Bucket Exists

```bash # List all buckets: mc admin bucket ls myminio

# Or via API: aws s3 ls --endpoint-url http://minio:9000

# Check specific bucket: mc ls myminio/mybucket

# If bucket missing, create: mc mb myminio/mybucket

# With versioning: mc mb myminio/mybucket --with-versioning

# Check bucket info: mc stat myminio/mybucket

# Admin bucket info: mc admin bucket info myminio/mybucket ```

Step 3: Check Access Credentials

```bash # Verify credentials configured: mc alias ls

# Should show: myminio: URL: http://minio:9000 AccessKey: your-access-key SecretKey: your-secret-key

# Test credentials: mc admin user ls myminio

# Check user info: mc admin user info myminio your-access-key

# Create new user if needed: mc admin user add myminio newuser newsecret

# Check current user permissions: mc admin user info myminio your-access-key ```

Step 4: Check Bucket Policy

```bash # Get bucket policy: mc anonymous get-json myminio/mybucket

# Or via API: aws s3api get-bucket-policy --bucket mybucket --endpoint-url http://minio:9000

# Common policies:

# Public read: mc anonymous set-json myminio/mybucket '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["*"]},"Action":["s3:GetObject"],"Resource":["arn:aws:s3:::mybucket/*"]}]}'

# Or use preset: mc anonymous set download myminio/mybucket # Public download mc anonymous set upload myminio/mybucket # Public upload mc anonymous set public myminio/mybucket # Public full access mc anonymous set private myminio/mybucket # Private (no anonymous)

# Check policy applied: mc anonymous get myminio/mybucket

# Get full policy JSON: mc anonymous get-json myminio/mybucket ```

Step 5: Check IAM Policies

```bash # List all policies: mc admin policy ls myminio

# Built-in policies: # - readwrite: Full read/write access # - readonly: Read-only access # - writeonly: Write-only access # - consoleAdmin: Admin console access # - diagnostics: Diagnostic access

# Attach policy to user: mc admin policy attach myminio readwrite --user your-access-key

# Create custom policy: cat << 'EOF' > custom-policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*" ] } ] } EOF

# Add custom policy: mc admin policy add myminio mybucket-policy custom-policy.json

# Attach to user: mc admin policy attach myminio mybucket-policy --user your-access-key

# Check user policies: mc admin user info myminio your-access-key ```

Step 6: Check Network Connectivity

```bash # Test connectivity to MinIO: ping minio-server

# Check port 9000 (API): nc -zv minio-server 9000

# Check port 9001 (Console): nc -zv minio-server 9001

# Check from client machine: curl http://minio:9000/minio/health/live

# Check firewall: iptables -L -n | grep 9000

# Allow MinIO ports: iptables -I INPUT -p tcp --dport 9000 -j ACCEPT iptables -I INPUT -p tcp --dport 9001 -j ACCEPT

# For Kubernetes: kubectl get svc -n minio kubectl describe svc minio -n minio ```

Step 7: Check SSL/TLS Configuration

```bash # If using HTTPS: curl https://minio:9000/minio/health/live

# SSL certificate error: mc alias set myminio https://minio:9000 access-key secret-key

# If self-signed certificate, may need to trust: mc alias set myminio https://minio:9000 access-key secret-key --insecure

# Or add certificate: # In MinIO config: mc admin config set myminio tls cert=/path/to/cert.pem key=/path/to/key.pem

# Restart MinIO: mc admin service restart myminio

# Check certificate: openssl s_client -connect minio:9000 -showcerts

# Generate new certificate if expired: openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout key.pem -out cert.pem ```

Step 8: Check Group Permissions

```bash # List groups: mc admin group ls myminio

# Create group: mc admin group add myminio developers user1 user2 user3

# Set group policy: mc admin policy attach myminio readwrite --group developers

# Check group info: mc admin group info myminio developers

# Remove user from group: mc admin group remove myminio developers user1

# Delete group: mc admin group remove myminio developers

# Group provides easier permission management # Multiple users share same policy ```

Step 9: Check Object Lock

```bash # Check if object lock enabled: mc stat myminio/mybucket

# Object lock prevents deletion/modification

# If object locked, cannot delete: mc rm myminio/mybucket/locked-object

# Error: Object is WORM protected

# Check object retention: mc stat myminio/mybucket/object --retention

# Remove retention (if allowed): mc retention clear myminio/mybucket/object

# Object lock configuration: mc admin bucket lock get myminio/mybucket

# Disable object lock on bucket: # Must be done at bucket creation # Object lock cannot be disabled after creation ```

Step 10: Monitor MinIO Access

```bash # Enable audit logging: mc admin config set myminio audit webhook1 endpoint=http://logger:8080/log

# Restart MinIO: mc admin service restart myminio

# Check access logs: # In audit webhook endpoint or MinIO logs

# MinIO metrics: curl http://minio:9000/minio/prometheus/metrics

# Key metrics: # minio_bucket_usage_total_bytes # minio_s3_requests_total # minio_s3_errors_total

# Create monitoring script: cat << 'EOF' > /usr/local/bin/monitor-minio.sh #!/bin/bash

echo "=== MinIO Health ===" curl -s http://minio:9000/minio/health/live

echo "" echo "=== Bucket List ===" mc ls myminio

echo "" echo "=== Bucket Usage ===" mc du myminio/mybucket

echo "" echo "=== Active Requests ===" curl -s http://minio:9000/minio/prometheus/metrics | grep minio_s3_requests EOF

chmod +x /usr/local/bin/monitor-minio.sh

# Alert for access errors: - alert: MinIOAccessDenied expr: rate(minio_s3_errors_total{code="AccessDenied"}[5m]) > 0 for: 1m labels: severity: warning annotations: summary: "MinIO access denied errors" ```

MinIO Bucket Access Checklist

Verify the Fix

```bash # After fixing access issue

# 1. List bucket contents mc ls myminio/mybucket // Objects listed successfully

# 2. Upload file mc cp file.txt myminio/mybucket/ // Upload successful

# 3. Download file mc cp myminio/mybucket/file.txt local.txt // Download successful

# 4. Check user permissions mc admin user info myminio your-access-key // Has readwrite policy

# 5. Verify bucket policy mc anonymous get myminio/mybucket // Policy set as expected

# 6. Test from different client aws s3 ls s3://mybucket --endpoint-url http://minio:9000 // Bucket accessible ```

Related Issues

• [Fix AWS S3 Access Denied Error](/articles/fix-aws-s3-access-denied-error)
• [Fix Cloudflare 521 Web Server Down](/articles/fix-cloudflare-521-web-server-down)
• [Fix Docker Registry Push Denied](/articles/fix-docker-registry-push-denied)