Feature Request setting of policies for service-accounts/Access Tokens

[John-Vaughan]

would it be possible to set up
admin service-account
to allow setting of policies for the service-account/Access Token?

I'm not quite sure how it would be best formatted for the json to be passed as a command line argument

since for the project I'm working on the Idea is to have the tokens generated via the CLI ( If it can be done via API directly to the rust FS then give me some pointers and I could probably use that instead), to generate and update and remove access tokens for access to specified buckets

CLI : built from commit 0811c91
RustFS : 1.0.0-alpha.85

[overtrue]

Thanks for reporting this. I re-verified on current main (commit 0811c91) against rustfs/rustfs:latest: service-account policy assignment is already supported via admin service-account create --policy <json-file>.

Example:

rc admin service-account create local/ SAKEY123 SASECRET123 --policy ./service-account-policy.json

I also verified the created service account returns the policy in rc admin service-account info.
If you need policy updates for an existing service account without recreating credentials, please open a dedicated enhancement issue and we can track that flow separately.

[overtrue]

Thanks for the request. To make this actionable, could you share a concrete expected CLI UX and one example payload?

Specifically:

1. Which exact command shape do you want ( or a new subcommand)?
2. Should policy be passed as inline JSON, file path, or both?
3. Do you expect creating a service-account with policy in one step, or updating policy on existing accounts too?
4. A minimal end-to-end example command you want to run.

With that, we can map this into a clear CLI contract and implementation plan.

[overtrue]

Small correction to item 1 above (shell escaped earlier):

• Which exact command shape do you want, for example rc admin service-account add ... or a new subcommand?

[John-Vaughan]

so, I confirm that the --policy flag works, I think what would be beneficial is some type of update command, since currently you'd have to remove the service-account/ access token and then re add it with updated policy, however the flow of removing then re adding works fine, The only issue though is if you don't save the secret, you then can't recreate it

[John-Vaughan]

you can Close the issue if you want if you think the command is unneeded, for purposes of the project I'm working on it's all functional now, note it probably would be worth noting in the documentation that you can do --policy
since the --help doesn't specify it for the command