DOCS-779: Fix permission set for MinIO on KES (#793)

2025-07-30 07:03:26 +03:00 · 2023-04-04 09:36:35 -04:00
parent d7bfff7aa2
commit f6538cadd9
12 changed files with 129 additions and 48 deletions
--- a/source/includes/common/common-minio-kes-aws.rst
+++ b/source/includes/common/common-minio-kes-aws.rst
@ -30,9 +30,15 @@ Manager:
   policy:
     minio:
       allow:
-       - /v1/key/create/*
-       - /v1/key/generate/*
+       - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
+       - /v1/key/generate/* # e.g. '/minio-'
       - /v1/key/decrypt/*
+       - /v1/key/bulk/decrypt
+       - /v1/key/list
+       - /v1/status
+       - /v1/metrics
+       - /v1/log/audit
+       - /v1/log/error
       identities:
       - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

--- a/source/includes/common/common-minio-kes-azure.rst
+++ b/source/includes/common/common-minio-kes-azure.rst
@ -31,9 +31,15 @@ Manager:
   policy:
     minio:
       allow:
-       - /v1/key/create/*
-       - /v1/key/generate/*
+       - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
+       - /v1/key/generate/* # e.g. '/minio-'
       - /v1/key/decrypt/*
+       - /v1/key/bulk/decrypt
+       - /v1/key/list
+       - /v1/status
+       - /v1/metrics
+       - /v1/log/audit
+       - /v1/log/error
       identities:
       - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

--- a/source/includes/common/common-minio-kes-gcp.rst
+++ b/source/includes/common/common-minio-kes-gcp.rst
@ -30,9 +30,15 @@ Manager:
   policy:
     minio:
       allow:
-       - /v1/key/create/*
-       - /v1/key/generate/*
+       - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
+       - /v1/key/generate/* # e.g. '/minio-'
       - /v1/key/decrypt/*
+       - /v1/key/bulk/decrypt
+       - /v1/key/list
+       - /v1/status
+       - /v1/metrics
+       - /v1/log/audit
+       - /v1/log/error
       identities:
       - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

--- a/source/includes/common/common-minio-kes-hashicorp.rst
+++ b/source/includes/common/common-minio-kes-hashicorp.rst
@ -30,6 +30,12 @@ You must modify this YAML to reflect your deployment environment.
       - /v1/key/create/*   # You can replace these wildcard '*' with a string prefix to restrict key names
       - /v1/key/generate/* # e.g. '/minio-'
       - /v1/key/decrypt/*
+       - /v1/key/bulk/decrypt
+       - /v1/key/list
+       - /v1/status
+       - /v1/metrics
+       - /v1/log/audit
+       - /v1/log/error
       identities:
       - MINIO_IDENTITY_HASH # Replace with the output of 'kes identity of minio-kes.cert'
                                # In production environments, each client connecting to KES must