docs/source/includes/common-replication.rst

MinIO supports replication of objects encrypted using SSE-KMS <minio-encryption-sse-kms> and SSE-S3 <minio-encryption-sse-s3>:

• For objects encrypted using SSE-KMS, MinIO requires that the target bucket support SSE-KMS encryption of objects using the same key names used to encrypt objects on the source bucket.
• For objects encrypted using SSE-S3 <minio-encryption-sse-s3>, MinIO requires that the target bucket also support SSE-S3 encryption of objects regardless of key name.

As part of the replication process, MinIO decrypts the object on the source bucket and transmits the unencrypted object over the network. The destination MinIO deployment then re-encrypts the object using the encryption settings from the target. MinIO therefore strongly recommends enabling TLS <minio-TLS> on both source and destination deployments to ensure the safety of objects during transmission.

MinIO does not support replicating client-side encrypted objects (SSE-C).

MinIO server-side replication only works between MinIO deployments. Both the source and destination deployments must run MinIO Server with matching versions.

To configure replication between arbitrary S3-compatible services, use mc mirror.

MinIO relies on the immutability protections provided by versioning <minio-bucket-versioning> to support replication and resynchronization.

Use mc version info to validate the versioning status of both the source and remote buckets. Use the mc version enable command to enable versioning as necessary.

If you exclude a prefix or folder from versioning within the source bucket, MinIO cannot replicate objects within that folder or prefix.

MinIO supports replicating objects held under WORM Locking <minio-object-locking>. Both replication buckets must have object locking enabled for MinIO to replicate the locked object. For active-active configuration, MinIO recommends using the same retention rules on both buckets to ensure consistent behavior across sites.

You must enable object locking during bucket creation as per S3 behavior. You can then configure object retention rules at any time. Configure the necessary rules on the unhealthy target bucket prior to beginning this procedure.

Bucket replication requires specific permissions on the source and destination deployments to configure and enable replication rules.

Replication Admin

The following policy provides permissions for configuring and enabling replication on a deployment.

/extra/examples/ReplicationAdminPolicy.json

• The "EnableRemoteBucketConfiguration" statement grants permission for creating a remote target for supporting replication.
• The "EnableReplicationRuleConfiguration" statement grants permission for creating replication rules on a bucket. The "arn:aws:s3:::* resource applies the replication permissions to any bucket on the source deployment. You can restrict the user policy to specific buckets as-needed.

The following code creates a MinIO-managed user <minio-users> with the necessary policy. Replace the TARGET with the alias <alias> of the MinIO deployment on which you are configuring replication:

wget -O - https://min.io/docs/minio/linux/examples/ReplicationAdminPolicy.json | \
mc admin policy create TARGET ReplicationAdminPolicy /dev/stdin
mc admin user add TARGET ReplicationAdmin LongRandomSecretKey
mc admin policy attach TARGET ReplicationAdminPolicy --user=ReplicationAdmin

MinIO deployments configured for Active Directory/LDAP <minio-external-identity-management-ad-ldap> or OpenID Connect <minio-external-identity-management-openid> user management should instead create a dedicated access keys <minio-idp-service-account> for bucket replication.

Replication Remote User

The following policy provides permissions for enabling synchronization of replicated data into the deployment.

/extra/examples/ReplicationRemoteUserPolicy.json

• The "EnableReplicationOnBucket" statement grants permission for a remote target to retrieve bucket-level configuration for supporting replication operations on all buckets in the MinIO deployment. To restrict the policy to specific buckets, specify those buckets as an element in the Resource array similar to "arn:aws:s3:::bucketName".
• The "EnableReplicatingDataIntoBucket" statement grants permission for a remote target to synchronize data into any bucket in the MinIO deployment. To restrict the policy to specific buckets, specify those buckets as an element in the Resource array similar to "arn:aws:s3:::bucketName/*".

The following code creates a MinIO-managed user <minio-users> with the necessary policy. Replace TARGET with the alias <alias> of the MinIO deployment on which you are configuring replication:

wget -O - https://min.io/docs/minio/linux/examples/ReplicationRemoteUserPolicy.json | \
mc admin policy create TARGET ReplicationRemoteUserPolicy /dev/stdin
mc admin user add TARGET ReplicationRemoteUser LongRandomSecretKey
mc admin policy attach TARGET ReplicationRemoteUserPolicy --user=ReplicationRemoteUser

MinIO deployments configured for Active Directory/LDAP <minio-external-identity-management-ad-ldap> or OpenID Connect <minio-external-identity-management-openid> user management should instead create a dedicated access keys <minio-idp-service-account> for bucket replication.

See mc admin user, mc admin user svcacct, and mc admin policy for more complete documentation on adding users, access keys, and policies to a MinIO deployment.

MinIO supports specifying either asynchronous (default) or synchronous replication for a given remote target.

With asynchronous replication, MinIO completes the originating PUT operation before placing the object into a replication queue <minio-replication-process>. The originating client may therefore see a successful PUT operation before the object is replicated. While this may result in stale or missing objects on the remote, it mitigates the risk of slow write operations due to replication load.

With synchronous replication, MinIO attempts to replicate the object prior to completing the originating PUT operation. MinIO returns a successful PUT operation whether or not the replication attempt succeeds. This reduces the risk of slow write operations at a possible cost of stale or missing objects on the remote location.

Each MinIO deployment ("peer site") synchronizes the following changes across the other peer sites:

• Creation, modification, and deletion of buckets and objects, including
  • Bucket and Object Configurations
  • Policies <minio-policy>
  • mc tag set
  • Locks <minio-object-locking>, including retention and legal hold configurations
  • Encryption settings <minio-encryption-overview>
• Creation and deletion of IAM users, groups, policies, and policy mappings to users or groups (for LDAP users or groups)
• Creation of Security Token Service (STS) credentials for session tokens verifiable from the local root credentials
• Creation and deletion of access keys <minio-mc-admin-user-svcacct> (except those owned by the root user)

Site replication enables bucket versioning <minio-bucket-versioning> for all new and existing buckets on all replicated sites.

MinIO deployments in a site replication configuration do not replicate the creation or modification of the following items:

• Bucket notifications <minio-bucket-notifications>
• Lifecycle management (ILM) configurations <minio-lifecycle-management>
• Site configuration settings <minio-mc-admin-config>

Specify the URL or IP address of the site's load balancer, reverse proxy, or similar network control plane component. Requests are automatically routed to nodes in the deployment.

MinIO recommends against using a single node hostname for a peer site. This creates a single point of failure: if that node goes offline, replication fails.