From 566271ef62058e8f87b88b1e90782c547e3c2dcd Mon Sep 17 00:00:00 2001
From: Daryl White <53910321+djwfyi@users.noreply.github.com>
Date: Fri, 4 Apr 2025 09:33:06 -0400
Subject: [PATCH 1/2] Adds kms policy actions to the PBAC page

Closes #1283
---
 .../policy-based-access-control.rst           | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/source/administration/identity-access-management/policy-based-access-control.rst b/source/administration/identity-access-management/policy-based-access-control.rst
index 422d06ee..0afc1846 100644
--- a/source/administration/identity-access-management/policy-based-access-control.rst
+++ b/source/administration/identity-access-management/policy-based-access-control.rst
@@ -709,6 +709,69 @@ MinIO extends the S3 standard condition keys with the following extended key:
          ]
       }
 
+Support kms action keys
+-----------------------
+
+MinIO supports restricting key management service (KMS) actions by policy.
+
+You can restrict KMS activities in a policy with any of the following KMS actions:
+
+.. policy-action:: kms:Status
+
+   Check the status of KMS.
+
+.. policy-action:: kms:Metrics
+
+   Obtain Prometheus-formatted metrics.
+
+.. policy-action:: kms:API
+
+   List supported API endpoints.
+
+.. policy-action:: kms:Version
+
+   Retrieve the KMS version.
+
+.. policy-action:: kms:CreateKey
+
+   Create a new KMS key.
+
+.. policy-action:: kms:ListKeys
+
+   Retrieve a list of existing KMS keys.
+
+.. policy-action:: kms:KeyStatus
+
+   Retrieve the status of a specified KMS key.
+
+.. versionchanged:: RELEASE.2024-07-16T23-46-41Z
+
+   KMS actions can be restricted by resource or a resource prefix.
+   The wildcard character ``*`` can be used to apply the KMS action policy to all resources that match the prefix.
+
+   For example, the following policy document allows a user to list keys, create new keys, and check the status of keys for any resource that begins with ``keys-abc-`` or ``myuser-``.
+
+   .. codeblock:: shell
+      :class: copyable
+   
+      {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Effect": "Allow",
+                  "Action": [
+                      "kms:CreateKey",
+                      "kms:KeyStatus",
+                      "kms:ListKeys"
+                  ],
+                  "Resource": [
+                      "arn:minio:kms:::keys-abc-*",
+                      "arn:minio:kms:::myuser-*"
+                  ]
+              }
+          ]
+      }
+
 .. _minio-policy-mc-admin-actions:
 
 ``mc admin`` Policy Action Keys

From 0217636bf8ab1dc9425422e6e01ec1347b1313f9 Mon Sep 17 00:00:00 2001
From: Daryl White <53910321+djwfyi@users.noreply.github.com>
Date: Fri, 4 Apr 2025 09:39:24 -0400
Subject: [PATCH 2/2] Add reference from old action keys and move section

---
 .../policy-based-access-control.rst           | 132 +++++++++---------
 1 file changed, 69 insertions(+), 63 deletions(-)

diff --git a/source/administration/identity-access-management/policy-based-access-control.rst b/source/administration/identity-access-management/policy-based-access-control.rst
index 0afc1846..7e9e0cf3 100644
--- a/source/administration/identity-access-management/policy-based-access-control.rst
+++ b/source/administration/identity-access-management/policy-based-access-control.rst
@@ -709,69 +709,6 @@ MinIO extends the S3 standard condition keys with the following extended key:
          ]
       }
 
-Support kms action keys
------------------------
-
-MinIO supports restricting key management service (KMS) actions by policy.
-
-You can restrict KMS activities in a policy with any of the following KMS actions:
-
-.. policy-action:: kms:Status
-
-   Check the status of KMS.
-
-.. policy-action:: kms:Metrics
-
-   Obtain Prometheus-formatted metrics.
-
-.. policy-action:: kms:API
-
-   List supported API endpoints.
-
-.. policy-action:: kms:Version
-
-   Retrieve the KMS version.
-
-.. policy-action:: kms:CreateKey
-
-   Create a new KMS key.
-
-.. policy-action:: kms:ListKeys
-
-   Retrieve a list of existing KMS keys.
-
-.. policy-action:: kms:KeyStatus
-
-   Retrieve the status of a specified KMS key.
-
-.. versionchanged:: RELEASE.2024-07-16T23-46-41Z
-
-   KMS actions can be restricted by resource or a resource prefix.
-   The wildcard character ``*`` can be used to apply the KMS action policy to all resources that match the prefix.
-
-   For example, the following policy document allows a user to list keys, create new keys, and check the status of keys for any resource that begins with ``keys-abc-`` or ``myuser-``.
-
-   .. codeblock:: shell
-      :class: copyable
-   
-      {
-          "Version": "2012-10-17",
-          "Statement": [
-              {
-                  "Effect": "Allow",
-                  "Action": [
-                      "kms:CreateKey",
-                      "kms:KeyStatus",
-                      "kms:ListKeys"
-                  ],
-                  "Resource": [
-                      "arn:minio:kms:::keys-abc-*",
-                      "arn:minio:kms:::myuser-*"
-                  ]
-              }
-          ]
-      }
-
 .. _minio-policy-mc-admin-actions:
 
 ``mc admin`` Policy Action Keys
@@ -817,11 +754,15 @@ services:
 .. policy-action:: admin:KMSCreateKey
 
    Allows creating a new KMS master key
+   
+   While this option is still supported, :policy-action:`kms:CreateKey` is preferred.
 
 .. policy-action:: admin:KMSKeyStatus
 
    Allows getting KMS key status
 
+   While this option is still supported, :policy-action:`kms:KeyStatus` is preferred.
+
 .. policy-action:: admin:ServerInfo
 
    Allows listing server info
@@ -985,6 +926,71 @@ services:
 
    Allows access to start, query, or stop a rebalancing of objects across pools with varying free storage space.
 
+KMS policy action keys
+----------------------
+
+MinIO supports restricting key management service (KMS) actions by policy.
+
+You can restrict KMS activities in a policy with any of the following KMS actions:
+
+.. policy-action:: kms:Status
+
+   Check the status of KMS.
+
+.. policy-action:: kms:Metrics
+
+   Obtain Prometheus-formatted metrics.
+
+.. policy-action:: kms:API
+
+   List supported API endpoints.
+
+.. policy-action:: kms:Version
+
+   Retrieve the KMS version.
+
+.. policy-action:: kms:CreateKey
+
+   Create a new KMS key.
+
+.. policy-action:: kms:ListKeys
+
+   Retrieve a list of existing KMS keys.
+
+.. policy-action:: kms:KeyStatus
+
+   Retrieve the status of a specified KMS key.
+
+To select all of the available kms policy actions, use ``kms:*``.
+
+.. versionchanged:: RELEASE.2024-07-16T23-46-41Z
+
+   KMS actions can be restricted by resource or a resource prefix.
+   The wildcard character ``*`` can be used to apply the KMS action policy to all resources that match the prefix.
+
+   For example, the following policy document allows a user to list keys, create new keys, and check the status of keys for any resource that begins with ``keys-abc-`` or ``myuser-``.
+
+   .. codeblock:: shell
+      :class: copyable
+   
+      {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Effect": "Allow",
+                  "Action": [
+                      "kms:CreateKey",
+                      "kms:KeyStatus",
+                      "kms:ListKeys"
+                  ],
+                  "Resource": [
+                      "arn:minio:kms:::keys-abc-*",
+                      "arn:minio:kms:::myuser-*"
+                  ]
+              }
+          ]
+      }
+
 ``mc admin`` Policy Condition Keys
 ----------------------------------