minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-06 14:42:56 +03:00
Code Activity
Files
relax-event-restriction
docs/source/administration/batch-framework-job-keyrotate.rst
Daryl White cfaedc843c Minor fixes for several smaller issues (#1380) 
- Adds missing config settings throughout storage class page.
    
  Closes #1349
    
- Adds instructions for adding certificates for connecting by sftp.
    
  Closes #1354
    
- Corrects information about which key to use for self-signed CAs.
    
  Closes #1358
    
- Moves `context` to optional for batch key rotate jobs.
    
  Closes #1356

- clean up missing ref links causing build warnings.
2024-12-04 11:17:52 -05:00

3.7 KiB
Raw Permalink Blame History

Batch Key Rotation

minio

Table of Contents

MinIO RELEASE.2023-04-07T05-28-58Z

The MinIO Batch Framework allows you to create, manage, monitor, and execute jobs using a YAML-formatted job definition file (a "batch file"). The batch jobs run directly on the MinIO deployment to take advantage of the server-side processing power without constraints of the local machine where you run the MinIO Client <minio-client>.

The keyrotate batch job type cycles the sse-s3 or sse-kms keys <minio-sse-data-encryption> for encrypted objects on a MinIO deployment.

The YAML configuration supports filters to restrict key rotation to a specific set of objects by creation date, tags, metadata, or kms key. You can also define retry attempts or set a notification endpoint and token.

Key Rotate Batch Job Reference

MinIO RELEASE.2023-04-07T05-28-58Z

Use the keyrotate job type to create a batch job that cycles the sse-s3 or sse-kms keys <minio-sse-data-encryption> for encrypted objects.

Required Fields

type: Either sse-s3 or sse-kms.
key: Only for use with the sse-kms type. The key to use to unseal the key vault.

Optional Fields

For flag based filters

newerThan:

A string representing a length of time in #d#h#s format.

Keys rotate only for objects newer than the specified length of time. For example, 7d, 24h, 5d12h30s are valid strings.

olderThan:

A string representing a length of time in #d#h#s format.

Keys rotate only for objects older than the specified length of time.

createdAfter:

A date in YYYY-MM-DD format.

Keys rotate only for objects created after the date.

createdBefore:

A date in YYYY-MM-DD format.

Keys rotate only for objects created prior to the date.
context: Only for use with the sse-kms type. The context within which to perform actions.
tags: Rotate keys only for objects with tags that match the specified key: and value:.
metadata: Rotate keys only for objects with metadata that match the specified key: and value:.
kmskey: Rotate keys only for objects with a KMS key-id that match the specified value. This is only applicable for the sse-kms type.

For notifications

endpoint: The predefined endpoint to send events for notifications.
token: An optional JSON Web Token (JWT) to access the endpoint.

For retry attempts

If something interrupts the job, you can define a maximum number of retry attempts. For each retry, you can also define how long to wait between attempts.

attempts: Number of tries to complete the batch job before giving up.
delay: The amount of time to wait between each attempt.

Sample YAML Description File for a keyrotate Job Type

Use mc batch generate to create a basic keyrotate batch job for further customization:

/includes/code/keyrotate.yaml