minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-12-07 08:22:13 +03:00
Code Activity
Files
bfdb0c00d9b2955b29fe1aa439475ebf924cfe54
docs/source/administration/batch-framework-job-keyrotate.rst
Allan Roger Reid 2208441e31 Specify RFC3339 and not ISO-8601 data and time (#1419) 
MinIO uses RFC3339 data and time formatting and not ISO-8601. RFC3339
requires that there be a `T` as part of the data and time separation.
ISO-8601 allows a space.
The documentation also currently refers to using a date in the batch
framework; this should be a RFC3339 date and time.
e.g.
```
mc batch start play expire.yaml
mc: <ERROR> Unable to start job. We encountered an internal error, please try again.: cause(parsing time "2006-01-02 15:04:05.00Z" as "2006-01-02T15:04:05Z07:00": cannot parse " 15:04:05.00Z" as "T").

```

---------

Co-authored-by: Ravind Kumar <ravindk89@gmail.com>
2025-02-18 14:25:57 -05:00

3.8 KiB
Raw Blame History

Batch Key Rotation

minio

Table of Contents

MinIO RELEASE.2023-04-07T05-28-58Z

The MinIO Batch Framework allows you to create, manage, monitor, and execute jobs using a YAML-formatted job definition file (a "batch file"). The batch jobs run directly on the MinIO deployment to take advantage of the server-side processing power without constraints of the local machine where you run the MinIO Client <minio-client>.

The keyrotate batch job type cycles the sse-s3 or sse-kms keys <minio-sse-data-encryption> for encrypted objects on a MinIO deployment.

The YAML configuration supports filters to restrict key rotation to a specific set of objects by creation date, tags, metadata, or kms key. You can also define retry attempts or set a notification endpoint and token.

Key Rotate Batch Job Reference

MinIO RELEASE.2023-04-07T05-28-58Z

Use the keyrotate job type to create a batch job that cycles the sse-s3 or sse-kms keys <minio-sse-data-encryption> for encrypted objects.

Required Fields

type: Either sse-s3 or sse-kms.
key: Only for use with the sse-kms type. The key to use to unseal the key vault.

Optional Fields

For flag based filters

newerThan:

A string representing a length of time in #d#h#s format.

Keys rotate only for objects newer than the specified length of time. For example, 7d, 24h, 5d12h30s are valid strings.

olderThan:

A string representing a length of time in #d#h#s format.

Keys rotate only for objects older than the specified length of time.

createdAfter:

A date in YYYY-MM-DDTHH:MM:SSZ RFC3339 <3339> date and time format.

Keys rotate only for objects created after the date.

createdBefore:

A date in YYYY-MM-DDTHH:MM:SSZ RFC3339 <3339> date and time format.

Keys rotate only for objects created prior to the date.
context: Only for use with the sse-kms type. The context within which to perform actions.
tags: Rotate keys only for objects with tags that match the specified key: and value:.
metadata: Rotate keys only for objects with metadata that match the specified key: and value:.
kmskey: Rotate keys only for objects with a KMS key-id that match the specified value. This is only applicable for the sse-kms type.

For notifications

endpoint: The predefined endpoint to send events for notifications.
token: An optional JSON Web Token (JWT) to access the endpoint.

For retry attempts

If something interrupts the job, you can define a maximum number of retry attempts. For each retry, you can also define how long to wait between attempts.

attempts: Number of tries to complete the batch job before giving up.
delay: The amount of time to wait between each attempt.

Sample YAML Description File for a keyrotate Job Type

Use mc batch generate to create a basic keyrotate batch job for further customization:

/includes/code/keyrotate.yaml

View Git Blame Copy Permalink