Erasure Code Calculator
Reference Hardware
Batch Key Rotation
New in version MinIO: RELEASE.2023-04-07T05-28-58Z
The MinIO Batch Framework allows you to create, manage, monitor, and execute jobs using a YAML-formatted job definition file (a “batch file”). The batch jobs run directly on the MinIO deployment to take advantage of the server-side processing power without constraints of the local machine where you run the MinIO Client.
The keyrotate batch job type cycles the sse-s3 or sse-kms keys for encrypted objects on a MinIO deployment.
The YAML configuration supports filters to restrict key rotation to a specific set of objects by creation date, tags, metadata, or kms key. You can also define retry attempts or set a notification endpoint and token.
Key Rotate Batch Job Reference
New in version MinIO: RELEASE.2023-04-07T05-28-58Z
Use the keyrotate job type to create a batch job that cycles the sse-s3 or sse-kms keys for encrypted objects.
Required Fields
type:Either
sse-s3orsse-kms.
key:Only for use with the
sse-kmstype. The key to use to unseal the key vault.
context:Only for use with the
sse-kmstype. The context within which to perform actions.
Optional Fields
For flag based filters
|
A string representing a length of time in Keys rotate only for objects newer than the specified length of time.
For example, |
|
A string representing a length of time in Keys rotate only for objects older than the specified length of time. |
|
A date in Keys rotate only for objects created after the date. |
|
A date in Keys rotate only for objects created prior to the date. |
|
Rotate keys only for objects with tags that match the specified |
|
Rotate keys only for objects with metadata that match the specified |
|
Rotate keys only for objects with a KMS key-id that match the specified value.
This is only applicable for the |
For notifications
|
The predefined endpoint to send events for notifications. |
|
An optional JSON Web Token (JWT) to access the |
For retry attempts
If something interrupts the job, you can define a maximum number of retry attempts. For each retry, you can also define how long to wait between attempts.
|
Number of tries to complete the batch job before giving up. |
|
The amount of time to wait between each attempt. |
Sample YAML Description File for a keyrotate Job Type
Use mc batch generate to create a basic keyrotate batch job for further customization:
keyrotate:
apiVersion: v1
bucket: bucket
prefix:
encryption:
type: sse-kms # valid values are sse-s3 and sse-kms
# The following encryption values only apply for sse-kms type.
# For sse-s3 key types, MinIO uses the key provided by the MINIO_KMS_KES_KEY_FILE environment variable.
# The following two values are ignored if type is set to sse-s3.
key: my-new-keys2 # valid only for sse-kms
context: <new-kms-key-context> # valid only for sse-kms
# optional flags based filtering criteria
flags:
filter:
newerThan: "84h" # match objects newer than this value (e.g. 7d10h31s)
olderThan: "80h" # match objects older than this value (e.g. 7d10h31s)
createdAfter: "2023-03-02T15:04:05Z07:00" # match objects created after "date"
createdBefore: "2023-03-02T15:04:05Z07:00" # match objects created before "date"
tags:
- key: "name"
value: "pick*" # match objects with tag 'name', with all values starting with 'pick'
metadata:
- key: "content-type"
value: "image/*" # match objects with 'content-type', with all values starting with 'image/'
kmskey: "key-id" # match objects with KMS key-id (applicable only for sse-kms)
# optional entries to add notifications for the job
notify:
endpoint: "https://notify.endpoint" # notification endpoint to receive job status events
token: "Bearer xxxxx" # optional authentication token for the notification endpoint
# optional entries to add retry attempts if the job is interrupted
retry:
attempts: 10 # number of retries for the job before giving up
delay: "500ms" # least amount of delay between each retry
