docs/source/includes/k8s/steps-configure-minio-kes-aws.rst

Deploy MinIO Tenant with Server-Side Encryption using AWS SecretsManager

1) Access the Operator Console

Use the kubectl minio proxy command to temporarily forward traffic between the local host machine and the MinIO Operator Console:

kubectl minio proxy

The command returns output similar to the following:

Starting port forward of the Console UI.

To connect open a browser and go to http://localhost:9090

Current JWT to login: TOKEN

Open your browser to the specified URL and enter the JWT Token into the login page. You should see the Tenants page:

Click the + Create Tenant to start creating a MinIO Tenant.

2) Complete the Encryption Section

To enable |SSE| with AWS Key Management Service during Tenant deployment, select the Encryption section and toggle the switch to Enabled. You can then change the Vault Radio button to AWS to display the configuration settings.

An asterisk * marks required fields. The following table provides general guidance for those fields:

Field	Description
Endpoint Region	The hostname and AWS region for the AWS Secrets Manager instance (https://secretmanager.us-east-2.amazonaws.com and us-east-2) to use for |SSE|. The MinIO Tenant |KES| pods must have network access to the specified endpoint. This procedure assumes that your Kubernetes network configuration supports routing internal traffic to external networks like the public internet.
Access Key Secret Key Token	Specify the AWS User Access Key and Secret Key MinIO should use when authenticating to the Vault service. Review the AWS Prerequisites <minio-sse-aws-prereq-aws> for instructions on generating these values.

Once you have completed the AWS |KMS| configuration, you can finish any remaining sections of Tenant Deployment <minio-k8s-deploy-minio-tenant>.

3) Generate a New Encryption Key

4) Enable SSE-KMS for a Bucket