{
   "Version":"2012-10-17",
   "Id":"PutObjectPolicy",
   "Statement":[{
         "Sid":"DenyObjectsThatAreNotSSEKMS",
         "Effect":"Deny",
         "Principal":"*",
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::multi-key-poc/*",
         "Condition":{
            "Null":{
               "s3:x-amz-server-side-encryption-aws-kms-key-id":"true"
            }
         }
      }
   ]

{
   "Version":"2012-10-17",
   "Id":"PutObjectPolicy1",
   "Statement":[{
         "Sid":"DenyObjectsWithInvalidSSEKMS",
         "Effect":"Deny",
         "Principal":"*",
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::multi-key-poc/*",
         "Condition":{
            "StringNotEquals":{
               "s3:x-amz-server-side-encryption-aws-kms-key-id":"minio-default-key"
            }
         }
      }
   ]

mc admin user add myminio/ minio123 minio123

mc admin policy create myminio/ deny-non-sse-kms-pol ./docs/iam/policies/deny-non-sse-kms-objects.json
mc admin policy create myminio/ deny-invalid-sse-kms-pol ./docs/iam/policies/deny-objects-with-invalid-sse-kms-key-id.json

mc admin policy attach myminio deny-non-sse-kms-pol --user minio123
mc admin policy attach myminio deny-invalid-sse-kms-pol --user minio123

    jvmArgumentProviders.add(CommandLineArgumentProvider {
        val testVersion = testVersionProvider.get()
        if (testVersion.canCompileOrRun(9) && !testVersion.canCompileOrRun(17)) {
            listOf("--illegal-access=deny")
        } else {
            emptyList()
        }
    })
    useJUnitPlatform()

MinIO supports multiple admin users in addition to default operator credential created during server startup. New admins can be added after server starts up, and server can be configured to deny or allow access to different admin operations for these users. This document explains how to add/remove admin users and modify their access rights.

## Get started

			// the policy engine matches all Deny statements first, without regard to Resources (for KMS).
			// This is for backwards compatibility where historically KMS statements ignored Resources.
			policy: `{
						"Effect": "Allow",
						"Action": ["kms:ListKeys"]
					},{
						"Effect": "Deny",
						"Action": ["kms:ListKeys"],
						"Resource": ["arn:minio:kms:::default-test-key"]

MinIO supports multiple long term users in addition to default user created during server startup. New users can be added after server starts up, and server can be configured to deny or allow access to buckets and resources to each of these users. This document explains how to add/remove users and modify their access rights.

## Get started

	ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
	defer cancel()

	// 1. Create a policy
	policy1 := "deny-svc"
	policy2 := "allow-svc"
	policyBytes := []byte(`{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Deny",
   "Action": [
    "admin:CreateServiceAccount"
   ]
  }
 ]
}`)

	newPolicyBytes := []byte(`{
 "Version": "2012-10-17",

      throw death;
    } catch (Throwable t) {
      /*
       * This is not one of AppEngine's allowed classes, so even in Sun JDKs, this can fail with
       * a NoClassDefFoundError. Other apps might deny access to sun.misc packages.
       */
      return null;
    }
  }

  /**
   * Returns the Method that can be used to resolve an individual StackTraceElement, or null if that

					errors.New("service accounts cannot be generated for temporary credentials without parent")), r.URL)
				return
			}
			targetUser = requestorParentUser
		}
		targetGroups = requestorGroups

		// Deny if the target user is not LDAP
		foundResult, err := globalIAMSys.LDAPConfig.GetValidatedDNForUsername(targetUser)
		if err != nil {
			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
			return
		}