1
0
mirror of https://github.com/minio/docs.git synced 2025-10-22 10:32:18 +03:00

DOCS-779: Fix permission set for MinIO on KES (#793)

This commit is contained in:
Ravind Kumar
2023-04-04 09:36:35 -04:00
committed by GitHub
parent d7bfff7aa2
commit f6538cadd9
12 changed files with 129 additions and 48 deletions

View File

@@ -30,9 +30,15 @@ Manager:
policy: policy:
minio: minio:
allow: allow:
- /v1/key/create/* - /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names
- /v1/key/generate/* - /v1/key/generate/* # e.g. '/minio-'
- /v1/key/decrypt/* - /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities: identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert' - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

View File

@@ -31,9 +31,15 @@ Manager:
policy: policy:
minio: minio:
allow: allow:
- /v1/key/create/* - /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names
- /v1/key/generate/* - /v1/key/generate/* # e.g. '/minio-'
- /v1/key/decrypt/* - /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities: identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert' - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

View File

@@ -30,9 +30,15 @@ Manager:
policy: policy:
minio: minio:
allow: allow:
- /v1/key/create/* - /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names
- /v1/key/generate/* - /v1/key/generate/* # e.g. '/minio-'
- /v1/key/decrypt/* - /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities: identities:
- ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert' - ${MINIO_IDENTITY_HASH} # Replace with the output of 'kes identity of minio-kes.cert'

View File

@@ -30,6 +30,12 @@ You must modify this YAML to reflect your deployment environment.
- /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names - /v1/key/create/* # You can replace these wildcard '*' with a string prefix to restrict key names
- /v1/key/generate/* # e.g. '/minio-' - /v1/key/generate/* # e.g. '/minio-'
- /v1/key/decrypt/* - /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities: identities:
- MINIO_IDENTITY_HASH # Replace with the output of 'kes identity of minio-kes.cert' - MINIO_IDENTITY_HASH # Replace with the output of 'kes identity of minio-kes.cert'
# In production environments, each client connecting to KES must # In production environments, each client connecting to KES must

View File

@@ -36,6 +36,11 @@ b. Create the Service File
3) Create the KES and MinIO Configurations 3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
a. Create the KES Configuration File a. Create the KES Configuration File
Create the configuration file using your preferred text editor. Create the configuration file using your preferred text editor.

View File

@@ -36,6 +36,11 @@ b. Create the Service File
3) Create the KES and MinIO Configurations 3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
a. Create the KES Configuration File a. Create the KES Configuration File
Create the configuration file using your preferred text editor. Create the configuration file using your preferred text editor.

View File

@@ -14,6 +14,11 @@ Prior to starting these steps, create the following folders if they do not alrea
1) Download KES and Create the Service File 1) Download KES and Create the Service File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
a. Download KES a. Download KES
.. include:: /includes/linux/common-minio-kes.rst .. include:: /includes/linux/common-minio-kes.rst

View File

@@ -66,6 +66,11 @@ Defer to the client documentation for instructions on trusting a third-party CA.
3) Create the KES and MinIO Configurations 3) Create the KES and MinIO Configurations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. container:: procedure .. container:: procedure
a. Create the KES Configuration File a. Create the KES Configuration File

View File

@@ -16,7 +16,7 @@ Server-Side Object Encryption with AWS Secrets Manager Root KMS
.. |KES-git| replace:: :minio-git:`Key Encryption Service (KES) <kes>` .. |KES-git| replace:: :minio-git:`Key Encryption Service (KES) <kes>`
.. |KES| replace:: :abbr:`KES (Key Encryption Service)` .. |KES| replace:: :abbr:`KES (Key Encryption Service)`
.. |rootkms| replace:: `AWS Secrets Manager <https://aws.amazon.com/secrets-manager/>`__ .. |rootkms| replace:: `AWS Secrets Manager <https://aws.amazon.com/secrets-manager/>`__
.. |rootkms-short| replace:: AWS Secrets Manager .. |rootkms-short| replace:: `AWS Key Management Service <https://aws.amazon.com/kms/>`__
MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). MinIO Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest).
SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure. SSE also provides key functionality to regulatory and compliance requirements around secure locking and erasure.
@@ -115,7 +115,7 @@ Prerequisites
Ensure Access to the AWS Secrets Manager and Key Management Service Ensure Access to the AWS Secrets Manager and Key Management Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure assumes access to and familiarity with |rootkms| and `|rootkms-short| <https://aws.amazon.com/kms/>`__. This procedure assumes access to and familiarity with |rootkms| and |rootkms-short|.
.. cond:: k8s .. cond:: k8s
@@ -242,20 +242,22 @@ MinIO specifically requires the following AWS settings or configurations:
Configuration Reference for AWS Root KMS Configuration Reference for AWS Root KMS
---------------------------------------- ----------------------------------------
The following section describes each of the |KES-git| configuration settings for The following section describes each of the |KES-git| configuration settings for using AWS Secrets Manager and AWS Key Management System as the root :abbr:`KMS (Key Management System)` for |SSE|:
using AWS Secrets Manager and AWS KMS as the root Key Management Service
(KMS) for |SSE|: .. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. tab-set:: .. tab-set::
.. tab-item:: YAML Overview .. tab-item:: YAML Overview
The following YAML describes the minimum required fields for configuring Fields with ``${<STRING>}`` use the environment variable matching the ``<STRING>`` value.
AWS Secrets Manager as an external KMS for supporting |SSE|. You can use this functionality to set credentials without writing them to the configuration file.
Any field with value ``${VARIABLE}`` uses the environment variable The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
with matching name as the value. You can use this functionality to set As an alternative, you can omit the ``policy.minio-server`` section and instead set the ``${MINIO_IDENTITY}`` hash as the ``${ROOT_IDENTITY}``.
credentials without writing them to the configuration file.
.. code-block:: yaml .. code-block:: yaml
@@ -272,6 +274,12 @@ using AWS Secrets Manager and AWS KMS as the root Key Management Service
- /v1/key/create/* - /v1/key/create/*
- /v1/key/generate/* - /v1/key/generate/*
- /v1/key/decrypt/* - /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities: identities:
- ${MINIO_IDENTITY} - ${MINIO_IDENTITY}

View File

@@ -228,16 +228,20 @@ The following section describes each of the |KES-git| configuration settings for
using Azure Key Vault as the root Key Management Service using Azure Key Vault as the root Key Management Service
(KMS) for |SSE|: (KMS) for |SSE|:
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. tab-set:: .. tab-set::
.. tab-item:: YAML Overview .. tab-item:: YAML Overview
The following YAML describes the minimum required fields for configuring Fields with ``${<STRING>}`` use the environment variable matching the ``<STRING>`` value.
Azure Key Vault as an external KMS for supporting |SSE|. You can use this functionality to set credentials without writing them to the configuration file.
Any field with value ``${VARIABLE}`` uses the environment variable The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
with matching name as the value. You can use this functionality to set As an alternative, you can omit the ``policy.minio-server`` section and instead set the ``${MINIO_IDENTITY}`` hash as the ``${ROOT_IDENTITY}``.
credentials without writing them to the configuration file.
.. code-block:: yaml .. code-block:: yaml
@@ -254,6 +258,12 @@ using Azure Key Vault as the root Key Management Service
- /v1/key/create/* - /v1/key/create/*
- /v1/key/generate/* - /v1/key/generate/*
- /v1/key/decrypt/* - /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities: identities:
- ${MINIO_IDENTITY} - ${MINIO_IDENTITY}

View File

@@ -232,20 +232,22 @@ configurations:
Configuration Reference for GCP Secret Manager Root KMS Configuration Reference for GCP Secret Manager Root KMS
------------------------------------------------------- -------------------------------------------------------
The following section describes each of the |KES-git| configuration settings for The following section describes each of the |KES-git| configuration settings for using GCP Secrets Manager as the root Key Management Service (KMS) for |SSE|:
using GCP Secrets Manager as the root Key Management Service
(KMS) for |SSE|: .. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. tab-set:: .. tab-set::
.. tab-item:: YAML Overview .. tab-item:: YAML Overview
The following YAML describes the minimum required fields for configuring Fields with ``${<STRING>}`` use the environment variable matching the ``<STRING>`` value.
GCP Secret Manager as an external KMS for supporting |SSE|. You can use this functionality to set credentials without writing them to the configuration file.
Any field with value ``${VARIABLE}`` uses the environment variable The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
with matching name as the value. You can use this functionality to set As an alternative, you can omit the ``policy.minio-server`` section and instead set the ``${MINIO_IDENTITY}`` hash as the ``${ROOT_IDENTITY}``.
credentials without writing them to the configuration file.
.. code-block:: yaml .. code-block:: yaml
@@ -262,6 +264,12 @@ using GCP Secrets Manager as the root Key Management Service
- /v1/key/create/* - /v1/key/create/*
- /v1/key/generate/* - /v1/key/generate/*
- /v1/key/decrypt/* - /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities: identities:
- ${MINIO_IDENTITY} - ${MINIO_IDENTITY}

View File

@@ -274,19 +274,24 @@ You can use the following steps to enable AppRole authentication and create the
Configuration Reference for Hashicorp Vault Configuration Reference for Hashicorp Vault
------------------------------------------- -------------------------------------------
The following section describes each of the |KES-git| configuration settings for The following section describes each of the |KES-git| configuration settings for using Hashicorp Vault as the root Key Management Service (KMS) for |SSE|.
using Hashicorp Vault as the root Key Management Service (KMS) for |SSE|:
.. important::
Starting with :minio-release:`RELEASE.2023-02-17T17-52-43Z`, MinIO requires expanded KES permissions for functionality.
The example configuration in this section contains all required permissions.
.. tab-set:: .. tab-set::
.. tab-item:: YAML Overview .. tab-item:: YAML Overview
The following YAML describes the minimum required fields for configuring The following YAML describes the minimum required fields for configuring Hashicorp Vault as an external KMS for supporting |SSE|.
Hashicorp Vault as an external KMS for supporting |SSE|.
Any field with value ``${VARIABLE}`` uses the environment variable Fields with ``${<STRING>}`` use the environment variable matching the ``<STRING>`` value.
with matching name as the value. You can use this functionality to set You can use this functionality to set credentials without writing them to the configuration file.
credentials without writing them to the configuration file.
The YAML assumes a minimal set of permissions for the MinIO deployment accessing KES.
As an alternative, you can omit the ``policy.minio-server`` section and instead set the ``${MINIO_IDENTITY}`` hash as the ``${ROOT_IDENTITY}``.
.. code-block:: yaml .. code-block:: yaml
@@ -303,6 +308,12 @@ using Hashicorp Vault as the root Key Management Service (KMS) for |SSE|:
- /v1/key/create/* - /v1/key/create/*
- /v1/key/generate/* - /v1/key/generate/*
- /v1/key/decrypt/* - /v1/key/decrypt/*
- /v1/key/bulk/decrypt
- /v1/key/list
- /v1/status
- /v1/metrics
- /v1/log/audit
- /v1/log/error
identities: identities:
- ${MINIO_IDENTITY} - ${MINIO_IDENTITY}