Skip to content

Add section for supported KMS actions #1448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 4, 2025
Merged

Add section for supported KMS actions #1448

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
566271e
Adds kms policy actions to the PBAC page
djwfyi Apr 4, 2025
0217636
Add reference from old action keys and move section
djwfyi Apr 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions source/administration/identity-access-management/policy-based-access-control.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -754,11 +754,15 @@ services:
.. policy-action:: admin:KMSCreateKey

Allows creating a new KMS master key

While this option is still supported, :policy-action:`kms:CreateKey` is preferred.

.. policy-action:: admin:KMSKeyStatus

Allows getting KMS key status

While this option is still supported, :policy-action:`kms:KeyStatus` is preferred.

.. policy-action:: admin:ServerInfo

Allows listing server info
Expand Down Expand Up @@ -922,6 +926,71 @@ services:

Allows access to start, query, or stop a rebalancing of objects across pools with varying free storage space.

KMS policy action keys
----------------------

MinIO supports restricting key management service (KMS) actions by policy.

You can restrict KMS activities in a policy with any of the following KMS actions:

.. policy-action:: kms:Status

Check the status of KMS.

.. policy-action:: kms:Metrics

Obtain Prometheus-formatted metrics.

.. policy-action:: kms:API

List supported API endpoints.

.. policy-action:: kms:Version

Retrieve the KMS version.

.. policy-action:: kms:CreateKey

Create a new KMS key.

.. policy-action:: kms:ListKeys

Retrieve a list of existing KMS keys.

.. policy-action:: kms:KeyStatus

Retrieve the status of a specified KMS key.

To select all of the available kms policy actions, use ``kms:*``.

.. versionchanged:: RELEASE.2024-07-16T23-46-41Z

KMS actions can be restricted by resource or a resource prefix.
The wildcard character ``*`` can be used to apply the KMS action policy to all resources that match the prefix.

For example, the following policy document allows a user to list keys, create new keys, and check the status of keys for any resource that begins with ``keys-abc-`` or ``myuser-``.

.. codeblock:: shell
:class: copyable

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:KeyStatus",
"kms:ListKeys"
],
"Resource": [
"arn:minio:kms:::keys-abc-*",
"arn:minio:kms:::myuser-*"
]
}
]
}

``mc admin`` Policy Condition Keys
----------------------------------

Expand Down