minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-30 07:03:26 +03:00
Code Activity

DOCS-779: Fix permission set for MinIO on KES (#793)

Browse Source
This commit is contained in:
Ravind Kumar
2023-04-04 09:36:35 -04:00
committed by GitHub
parent d7bfff7aa2
commit f6538cadd9
12 changed files with 129 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
source/operations/server-side-encryption/configure-minio-kes-aws.rst
View File

@ -16,7 +16,7 @@ Server-Side Object Encryption with AWS Secrets Manager Root KMS
.. |KES-git| replace:: :minio-git:`Key Encryption Service (KES) <kes>`
.. |KES| replace:: :abbr:`KES (Key Encryption Service)`
.. |rootkms| replace:: `AWS Secrets Manager <https://aws.amazon.com/secrets-manager/>`__
.. |rootkms-short| replace:: AWS Secrets Manager
.. |rootkms-short| replace:: `AWS Key Management Service <https://aws.amazon.com/kms/>`__
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest).
SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
@ -115,7 +115,7 @@ Prerequisites
Ensure Access to the AWS Secrets Manager and Key Management Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure assumes access to and familiarity with |rootkms| and `|rootkms-short| <https://aws.amazon.com/kms/>`__.
This procedure assumes access to and familiarity with |rootkms| and |rootkms-short|.
.. cond:: k8s
@ -242,20 +242,22 @@ MinIO specifically requires the following AWS settings or configurations:
Configuration Reference for AWS Root KMS
----------------------------------------
The following section describes each of the |KES-git| configuration settings for
using AWS Secrets Manager and AWS KMS as the root Key Management Service
(KMS) for |SSE|:
The following section describes each of the |KES-git| configuration settings for using AWS Secrets Manager and AWS Key Management System as the root :abbr:`KMS (Key Management System)` for |SSE|:
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. tab-set::
.. tab-item:: YAML Overview
The following YAML describes the minimum required fields for configuring
AWS Secrets Manager as an external KMS for supporting |SSE|.
Fields with ``${<STRING>}`` use the environment variable matching the ``<STRING>`` value.
You can use this functionality to set credentials without writing them to the configuration file.
Any field with value ``${VARIABLE}`` uses the environment variable
with matching name as the value. You can use this functionality to set
credentials without writing them to the configuration file.
The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
As an alternative, you can omit the ``policy.minio-server`` section and instead set the ``${MINIO_IDENTITY}`` hash as the ``${ROOT_IDENTITY}``.
.. code-block:: yaml
@ -269,9 +271,15 @@ using AWS Secrets Manager and AWS KMS as the root Key Management Service
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY}

26
source/operations/server-side-encryption/configure-minio-kes-azure.rst
View File

@ -228,16 +228,20 @@ The following section describes each of the |KES-git| configuration settings for
using Azure Key Vault as the root Key Management Service
(KMS) for |SSE|:
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. tab-set::
.. tab-item:: YAML Overview
The following YAML describes the minimum required fields for configuring
Azure Key Vault as an external KMS for supporting |SSE|.
Fields with ``${<STRING>}`` use the environment variable matching the ``<STRING>`` value.
You can use this functionality to set credentials without writing them to the configuration file.
Any field with value ``${VARIABLE}`` uses the environment variable
with matching name as the value. You can use this functionality to set
credentials without writing them to the configuration file.
The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
As an alternative, you can omit the ``policy.minio-server`` section and instead set the ``${MINIO_IDENTITY}`` hash as the ``${ROOT_IDENTITY}``.
.. code-block:: yaml
@ -251,9 +255,15 @@ using Azure Key Vault as the root Key Management Service
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY}

30
source/operations/server-side-encryption/configure-minio-kes-gcp.rst
View File

@ -232,20 +232,22 @@ configurations:
Configuration Reference for GCP Secret Manager Root KMS
-------------------------------------------------------
The following section describes each of the |KES-git| configuration settings for
using GCP Secrets Manager as the root Key Management Service
(KMS) for |SSE|:
The following section describes each of the |KES-git| configuration settings for using GCP Secrets Manager as the root Key Management Service (KMS) for |SSE|:
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. tab-set::
.. tab-item:: YAML Overview
The following YAML describes the minimum required fields for configuring
GCP Secret Manager as an external KMS for supporting |SSE|.
Fields with ``${<STRING>}`` use the environment variable matching the ``<STRING>`` value.
You can use this functionality to set credentials without writing them to the configuration file.
Any field with value ``${VARIABLE}`` uses the environment variable
with matching name as the value. You can use this functionality to set
credentials without writing them to the configuration file.
The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
As an alternative, you can omit the ``policy.minio-server`` section and instead set the ``${MINIO_IDENTITY}`` hash as the ``${ROOT_IDENTITY}``.
.. code-block:: yaml
@ -259,9 +261,15 @@ using GCP Secrets Manager as the root Key Management Service
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY}

31
source/operations/server-side-encryption/configure-minio-kes-hashicorp.rst
View File

@ -274,19 +274,24 @@ You can use the following steps to enable AppRole authentication and create the
Configuration Reference for Hashicorp Vault
-------------------------------------------
The following section describes each of the |KES-git| configuration settings for
using Hashicorp Vault as the root Key Management Service (KMS) for |SSE|:
The following section describes each of the |KES-git| configuration settings for using Hashicorp Vault as the root Key Management Service (KMS) for |SSE|.
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. tab-set::
.. tab-item:: YAML Overview
The following YAML describes the minimum required fields for configuring
Hashicorp Vault as an external KMS for supporting |SSE|.
The following YAML describes the minimum required fields for configuring Hashicorp Vault as an external KMS for supporting |SSE|.
Any field with value ``${VARIABLE}`` uses the environment variable
with matching name as the value. You can use this functionality to set
credentials without writing them to the configuration file.
Fields with ``${<STRING>}`` use the environment variable matching the ``<STRING>`` value.
You can use this functionality to set credentials without writing them to the configuration file.
The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
As an alternative, you can omit the ``policy.minio-server`` section and instead set the ``${MINIO_IDENTITY}`` hash as the ``${ROOT_IDENTITY}``.
.. code-block:: yaml
@ -300,9 +305,15 @@ using Hashicorp Vault as the root Key Management Service (KMS) for |SSE|:
policy:
minio-server:
allow:
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/create/*
- /v1/key/generate/*
- /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities:
- ${MINIO_IDENTITY}