Set meaningful message from minio with env variable KMS_SECRET_KEY - allanrogerr/public GitHub Wiki

PR

https://github.com/minio/minio/pull/16584

Issue

https://github.com/miniohq/engineering/issues/1148

Description

Steps to reproduce

  1. Generate a 256 bit random key via:
cat /dev/urandom | head -c 32 | base64

Example response

wz83JmWETiDPeoL4jKZNmYkxDIpIdfIDv7eJVxgeNNc=
  1. Now, set MINIO_KMS_SECRET_KEY like this:
export MINIO_KMS_SECRET_KEY=my-minio-key:wz83JmWETiDPeoL4jKZNmYkxDIpIdfIDv7eJVxgeNNc=
  1. Deploy minio with an old version of console. Clone, checkout, build and start old minio
git clone https://github.com/minio/minio.git
git checkout master
make build
./minio server --console-address :9091 /tmp/data

Clone, checkout, build and start old console

git clone https://github.com/allanrogerr/console.git
git checkout master
make console
./console server
  1. Login to the console and attempt to set the Encryption on a new bucket to SSE-KMS. Observe an error.
  1. Attempt to add a new encryption key. Observe an error.

Fix

  1. Clone, checkout, build and start minio
git clone https://github.com/allanrogerr/minio.git
git checkout allow-kms-secret-key
make build
./minio server --console-address :9091 /tmp/data
  1. (If not already done above) Clone, checkout, build and start old console
git clone https://github.com/allanrogerr/console.git
git checkout master
make console
./console server
  1. Attempt to set the Encryption on a new bucket to SSE-KMS. Observe no error.
  1. Attempt to add a new encryption key. Observe a meaningful error.
MINIO_KMS_SECRET_KEY is configured. Additional keys cannot be configured.
  1. Test removing the env variable. Then, Restart minio. Attempt to set the Encryption on a new bucket to SSE-KMS. Observe a meaningful error.
Server side encryption specified but KMS is not configured
  1. Attempt to add a new encryption key. Observe a meaningful error.
Server side encryption specified but KMS is not configured
  1. Attempt to use both configurations
ubuntu@minio-kes:~$ export MINIO_KMS_SECRET_KEY=my-minio-key:wz83JmWETiDPeoL4jKZNmYkxDIpIdfIDv7eJVxgeNNc=
ubuntu@minio-kes:~$ minio server data --certs-dir .
ERROR The environment contains "MINIO_KMS_SECRET_KEY" as well as "MINIO_KMS_KES_ENDPOINT": ambigious KMS configuration