DOCS-779: Fix permission set for MinIO on KES (#793)

2025-07-31 18:04:52 +03:00 · 2023-04-04 09:36:35 -04:00
parent d7bfff7aa2
commit f6538cadd9
12 changed files with 129 additions and 48 deletions
--- a/source/includes/common/common-minio-kes-aws.rst
+++ b/source/includes/common/common-minio-kes-aws.rst
@ -30,9 +30,15 @@ Manager:
   policy:
     minio:
       allow:
-       - /v1/key/create/*
-       - /v1/key/generate/*
+       - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
+       - /v1/key/generate/* # e.g. '/minio-'
       - /v1/key/decrypt/*
+       - /v1/key/bulk/decrypt
+       - /v1/key/list
+       - /v1/status
+       - /v1/metrics
+       - /v1/log/audit
+       - /v1/log/error
       identities:
       - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

--- a/source/includes/common/common-minio-kes-azure.rst
+++ b/source/includes/common/common-minio-kes-azure.rst
@ -31,9 +31,15 @@ Manager:
   policy:
     minio:
       allow:
-       - /v1/key/create/*
-       - /v1/key/generate/*
+       - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
+       - /v1/key/generate/* # e.g. '/minio-'
       - /v1/key/decrypt/*
+       - /v1/key/bulk/decrypt
+       - /v1/key/list
+       - /v1/status
+       - /v1/metrics
+       - /v1/log/audit
+       - /v1/log/error
       identities:
       - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

--- a/source/includes/common/common-minio-kes-gcp.rst
+++ b/source/includes/common/common-minio-kes-gcp.rst
@ -30,9 +30,15 @@ Manager:
   policy:
     minio:
       allow:
-       - /v1/key/create/*
-       - /v1/key/generate/*
+       - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
+       - /v1/key/generate/* # e.g. '/minio-'
       - /v1/key/decrypt/*
+       - /v1/key/bulk/decrypt
+       - /v1/key/list
+       - /v1/status
+       - /v1/metrics
+       - /v1/log/audit
+       - /v1/log/error
       identities:
       - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

--- a/source/includes/common/common-minio-kes-hashicorp.rst
+++ b/source/includes/common/common-minio-kes-hashicorp.rst
@ -30,6 +30,12 @@ You must modify this YAML to reflect your deployment environment.
       - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
       - /v1/key/generate/* # e.g. '/minio-'
       - /v1/key/decrypt/*
+       - /v1/key/bulk/decrypt
+       - /v1/key/list
+       - /v1/status
+       - /v1/metrics
+       - /v1/log/audit
+       - /v1/log/error
       identities:
       - MINIO_IDENTITY_HASH # Replace with the output of 'kes identity of minio-kes.cert'
                                # In production environments, each client connecting to KES must
--- a/source/includes/linux/steps-configure-minio-kes-aws.rst
+++ b/source/includes/linux/steps-configure-minio-kes-aws.rst
@ -36,6 +36,11 @@ b. Create the Service File
 3) Create the KES and MinIO Configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. important::
+
+   Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
+   The example configuration in this section contains all required permissions.
+
 a. Create the KES Configuration File

   Create the configuration file using your preferred text editor.
--- a/source/includes/linux/steps-configure-minio-kes-azure.rst
+++ b/source/includes/linux/steps-configure-minio-kes-azure.rst
@ -36,6 +36,11 @@ b. Create the Service File
 3) Create the KES and MinIO Configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. important::
+
+   Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
+   The example configuration in this section contains all required permissions.
+
 a. Create the KES Configuration File

   Create the configuration file using your preferred text editor.
--- a/source/includes/linux/steps-configure-minio-kes-gcp.rst
+++ b/source/includes/linux/steps-configure-minio-kes-gcp.rst
@ -14,6 +14,11 @@ Prior to starting these steps, create the following folders if they do not alrea
 1) Download KES and Create the Service File
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. important::
+
+   Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
+   The example configuration in this section contains all required permissions.
+
 a. Download KES

   .. include:: /includes/linux/common-minio-kes.rst
--- a/source/includes/linux/steps-configure-minio-kes-hashicorp.rst
+++ b/source/includes/linux/steps-configure-minio-kes-hashicorp.rst
@ -66,6 +66,11 @@ Defer to the client documentation for instructions on trusting a third-party CA.
 3) Create the KES and MinIO Configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. important::
+
+   Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
+   The example configuration in this section contains all required permissions.
+
 .. container:: procedure

   a. Create the KES Configuration File