diff --git a/tf-stage-1/service_minio.tf b/tf-stage-1/service_minio.tf
new file mode 100644
index 0000000..b687b40
--- /dev/null
+++ b/tf-stage-1/service_minio.tf
@@ -0,0 +1,85 @@
+module "minioclient" {
+  source = "./modules/kc-client"
+
+  realm               = var.realm
+  client_id           = "minio"
+  client_name         = "minio"
+  description         = "minio.tobiasmanske.de"
+  root_url            = "https://minio.tobiasmanske.de"
+  admin_url           = ""
+  base_url            = ""
+  valid_redirect_uris = ["https://minio.tobiasmanske.de/oauth_callback"]
+  web_origins         = []
+}
+
+
+resource "keycloak_openid_user_session_note_protocol_mapper" "minio-client-id-mapper" {
+  realm_id  = module.minioclient.realm.id
+  client_id = module.minioclient.client.id
+  name      = "Client ID"
+
+  claim_name         = "clientId"
+  claim_value_type   = "String"
+  session_note       = "clientId"
+}
+resource "keycloak_openid_user_session_note_protocol_mapper" "minio-client-host-mapper" {
+  realm_id  = module.minioclient.realm.id
+  client_id = module.minioclient.client.id
+  name      = "Client Host"
+
+  claim_name         = "clientHost"
+  claim_value_type   = "String"
+  session_note       = "clientHost"
+}
+resource "keycloak_openid_user_session_note_protocol_mapper" "minio-client-ip-address-mapper" {
+  realm_id  = module.minioclient.realm.id
+  client_id = module.minioclient.client.id
+  name      = "Client Address"
+
+  claim_name         = "clientAddress"
+  claim_value_type   = "String"
+  session_note       = "clientAddress"
+}
+
+resource "keycloak_openid_user_client_role_protocol_mapper" "minio-role-mapper" {
+  realm_id  = module.minioclient.realm.id
+  client_id = module.minioclient.client.id
+  client_id_for_role_mappings = module.minioclient.client.id
+  multivalued         = true
+  name                = "user-client-role-mapper"
+  claim_name          = "roles"
+  add_to_userinfo     = true
+  add_to_access_token = true
+  add_to_id_token     = true
+}
+
+resource "keycloak_role" "minio-consoleAdmin" {
+  realm_id    = module.minioclient.realm.id
+  client_id   = module.minioclient.client.id
+  name        = "consoleAdmin"
+  description = ""
+}
+resource "keycloak_role" "minio-diagnostics" {
+  realm_id    = module.minioclient.realm.id
+  client_id   = module.minioclient.client.id
+  name        = "diagnostics"
+  description = ""
+}
+resource "keycloak_role" "minio-readonly" {
+  realm_id    = module.minioclient.realm.id
+  client_id   = module.minioclient.client.id
+  name        = "readonly"
+  description = ""
+}
+resource "keycloak_role" "minio-readwrite" {
+  realm_id    = module.minioclient.realm.id
+  client_id   = module.minioclient.client.id
+  name        = "readwrite"
+  description = ""
+}
+resource "keycloak_role" "minio-writeonly" {
+  realm_id    = module.minioclient.realm.id
+  client_id   = module.minioclient.client.id
+  name        = "writeonly"
+  description = ""
+}
diff --git a/tf-stage-1/user_rad4day.tf b/tf-stage-1/user_rad4day.tf
index dda6310..38da263 100644
--- a/tf-stage-1/user_rad4day.tf
+++ b/tf-stage-1/user_rad4day.tf
@@ -12,9 +12,20 @@ resource "keycloak_user_groups" "rad4day_groups" {
     module.giteaclient.admin_group.id,
     module.grafanaclient.access_group.id,
     module.grafanaclient.admin_group.id,
+    module.minioclient.access_group.id,
     module.hedgedocclient.access_group.id,
     module.minifluxclient.access_group.id,
     module.synapseclient.access_group.id,
     module.seafileclient.access_group.id,
   ]
 }
+
+
+resource "keycloak_user_roles" "rad4day_roles" {
+  realm_id   = data.keycloak_realm.realm.id
+  user_id    = data.keycloak_user.rad4day.id
+
+  role_ids = [
+    keycloak_role.minio-consoleAdmin.id,
+  ]
+}