minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-04-19 21:02:14 +03:00
Code
docs/source/administration/batch-framework-job-keyrotate.rst
Ravind Kumar a065b7a29f
DOCS-1083: MinIO Server Release RELEASE.2023-12-02T10-51-33Z (#1097) 
# Summary

Closes #1083 

Also reorganizes the batch framework pages. Could use additional
refinement, but considering that out of scope for now.

---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
2024-01-02 14:25:04 -05:00

3.7 KiB
Raw Permalink Blame History

Batch Key Rotation

minio

Table of Contents

MinIO RELEASE.2023-04-07T05-28-58Z

The MinIO Batch Framework allows you to create, manage, monitor, and execute jobs using a YAML-formatted job definition file (a "batch file"). The batch jobs run directly on the MinIO deployment to take advantage of the server-side processing power without constraints of the local machine where you run the MinIO Client <minio-client>.

The keyrotate batch job type cycles the sse-s3 or sse-kms keys <minio-sse-data-encryption> for encrypted objects on a MinIO deployment.

The YAML configuration supports filters to restrict key rotation to a specific set of objects by creation date, tags, metadata, or kms key. You can also define retry attempts or set a notification endpoint and token.

Key Rotate Batch Job Reference

MinIO RELEASE.2023-04-07T05-28-58Z

Use the keyrotate job type to create a batch job that cycles the sse-s3 or sse-kms keys <minio-sse-data-encryption> for encrypted objects.

Required Fields

type: Either sse-s3 or sse-kms.
key: Only for use with the sse-kms type. The key to use to unseal the key vault.
context: Only for use with the sse-kms type. The context within which to perform actions.

Optional Fields

For flag based filters

newerThan:

A string representing a length of time in #d#h#s format.

Keys rotate only for objects newer than the specified length of time. For example, 7d, 24h, 5d12h30s are valid strings.

olderThan:

A string representing a length of time in #d#h#s format.

Keys rotate only for objects older than the specified length of time.

createdAfter:

A date in YYYY-MM-DD format.

Keys rotate only for objects created after the date.

createdBefore:

A date in YYYY-MM-DD format.

Keys rotate only for objects created prior to the date.
tags: Rotate keys only for objects with tags that match the specified key: and value:.
metadata: Rotate keys only for objects with metadata that match the specified key: and value:.
kmskey: Rotate keys only for objects with a KMS key-id that match the specified value. This is only applicable for the sse-kms type.

For notifications

endpoint: The predefined endpoint to send events for notifications.
token: An optional JSON Web Token (JWT) to access the endpoint.

For retry attempts

If something interrupts the job, you can define a maximum number of retry attempts. For each retry, you can also define how long to wait between attempts.

attempts: Number of tries to complete the batch job before giving up.
delay: The amount of time to wait between each attempt.

Sample YAML Description File for a keyrotate Job Type

Use mc batch generate to create a basic keyrotate batch job for further customization:

/includes/code/keyrotate.yaml