web-app-minio: manage OIDC policy via containerized mc and fix policy JSON

- Use dockerized mc with MC_HOST_minio (stateless), no temp files/dirs - Create only RAW policy name with slash to match Keycloak claim - Split policy: s3:* on S3 ARNs; admin:* on Resource "*" - Add mc vars (image, MC_HOST components) to vars/main.yml - Remove unused Ollama dependency block from tasks Refs: ChatGPT conversation → https://chatgpt.com/share/68d1eab9-a35c-800f-aa81-76fb2101bd93
2025-09-24 19:16:26 +02:00 · 2025-09-23 02:33:35 +02:00
parent 7a119c3175
commit 75c36a1d71
3 changed files with 44 additions and 23 deletions
--- a/roles/web-app-minio/templates/policy.json.j2
+++ b/roles/web-app-minio/templates/policy.json.j2
@@ -3,14 +3,16 @@
  "Statement": [
    {
      "Effect": "Allow",
-      "Action": [
-        "s3:*",
-        "admin:*"
-      ],
+      "Action": ["s3:*"],
      "Resource": [
        "arn:aws:s3:::*",
-        "arn:minio:admin:::*"
+        "arn:aws:s3:::*/*"
      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["admin:*"],
+      "Resource": ["*"]
    }
  ]
 }