kes policy create

Overview

Create a new policy to use with KES identities.

Adds a new temporary policy to the KES server. Policies support KES access control.

The created policy has no associated identities. Use kes policy assign to assign identities to the policy.

All changes made by :mc:kes policy are lost when the KES server restarts. To create permanent policies, modify the policy section of the KES configuration document to include the new policy.

Syntax

kes policy create                  \
            <name>                 \
            <path>                 \
            [--insecure, -k]

Parameters

`name`

Required

A short name used to refer to the policy.

`path`

Required

The path to the file containing the policy to use with this name.

`--insecure, -k`

Optional

Directs the command to skip x.509 certificate validation during the TLS handshake with the KES server. This allows connections to KES servers using untrusted certificates (i.e. self-signed or issued by an unknown Certificate Authority).

MinIO strongly recommends against using this option in production environments.

Examples

kes policy add my-policy ./policy.json

Sample Policy Config File

A yaml-formatted file could resemble the following:

policy:
  my-policy:
    allow:
    - /v1/key/create/my-key
    - /v1/key/generate/my-key
    - /v1/key/decrypt/my-key
    identities:
    - 3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22
    - ${MY_APP_IDENTITY}