Description
Expected Behavior
It is expected that when using MINIO_KMS_SECRET_KEY or MINIO_KMS_SECRET_KEY_FILE:
- There will be no error when opening /kms/status in WebUI (Monitoring -> Encryption)
- That the key creation button in /kms/keys in WebUI (Encryption) will be inactive with the message
Unavailable due to static key usage.
Current Behavior
-
The /kms/status tab in the WebUI (Monitoring -> Encryption) displays the error
We encountered an internal error, please try again. (requested functionality is not supported)(probably a problem on the backend side)
-
The
Create Keybutton in the /kms/keys tab of the WebUI (Encryption) is active, but when trying to create a key an errorWe encountered an internal error, please try again. (requested functionality is not supported)
Part of logs, when opening the /kms/status tab in WebUI (Monitoring -> Encryption)
[REQUEST kmsAPIHandlers.KMSStatus] [2025-03-09T12:01:14.960] [Client IP: {REDACTED}]
GET /minio/kms/v1/status
Proto: HTTP/1.1
Host: 127.0.0.1:9000
Content-Length: 0
User-Agent: MinIO (linux; amd64) madmin-go/3.0.70 MinIO Console/(dev)
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20250309T120114Z
X-Amz-Security-Token: {REDACTED}
X-Forwarded-For: {REDACTED}
Authorization: AWS4-HMAC-SHA256 Credential={REDACTED}, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature={REDACTED}
[RESPONSE] [2025-03-09T12:01:14.960] [ Duration 75µs TTFB 72.547µs ↑ 114 B ↓ 263 B ]
200 OK
Accept-Ranges: bytes
Content-Type: application/json
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Amz-Bucket-Region: {REDACTED}
X-Content-Type-Options: nosniff
Content-Length: 263
Server: MinIO
Vary: Origin,Accept-Encoding
X-Amz-Id-2: {REDACTED}
X-Amz-Request-Id: {REDACTED}
X-Xss-Protection: 1; mode=block
{
"name": "MinIO builtin",
"default-key-id": "default",
"endpoints": {
"127.0.0.1": "online"
},
"state": {
"Version": "",
"KeyStoreLatency": 0,
"KeyStoreReachable": false,
"KeystoreAvailable": false,
"OS": "",
"Arch": "",
"UpTime": 0,
"CPUs": 0,
"UsableCPUs": 0,
"HeapAlloc": 0,
"StackAlloc": 0
}
}
Possible Solution
- On the backend side, do not return an error for /api/v1/kms/apis if a static key is used, but return an empty response (or any other response reflecting the static keys used), which will be correctly handled by the frontend
- On the backend side, disable key creation via /api/v1/kms/keys, and make the button inactive in the frontend
Steps to Reproduce (for bugs)
Deploy MinIO (for example via docker-compose) with MINIO_KMS_SECRET_KEY variable
Context
It is expected that there will be no backend 500 error when using static keys, and that unnecessary and unworkable (which is correct) encryption key creation functionality will not be available to the end user
Regression
Is this issue a regression? No
Your Environment
-
Version used (
minio --version):RELEASE.2025-02-28T09-55-16Z (go1.23.6 linux/amd64) -
Server setup and configuration:
compose.yaml
name: minio services: minio: ports: - 9000:9000 - 9001:9001 volumes: - ./data:/data environment: - MINIO_VOLUMES="/data" - MINIO_KMS_SECRET_KEY=default:7CSnK3oq0aW0wVkvJqz0BxEeAnfV6EWvSoJRqULuf9g= container_name: minio image: minio/minio command: "server --address :9000 --console-address :9001" -
Operating System and version (
uname -a):Linux node1 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 Linux