minkms add-policy

Create or overwrite an access control policy. Policies define “allow” and “deny” rules that control which operations identities can perform on specific resources.

The following settings determine which remote MinIO KMS server the command runs against in order of priority:

1. The MINIO_KMS_SERVER environment variable.
2. The default value of https://localhost:7373.

minkms add-policy       \
  NAME                  \
  FILE                  \
  [-a | --api-key KEY]  \
  [-e | --enclave NAME] \
  [-k | --insecure]

Required

The name of the policy to create or overwrite.

Required

The file containing the policy definition.

Optional

Alias: -a

The API key of an identity the command uses to authenticate to the MinIO KMS cluster. Defaults to the value of MINIO_KMS_API_KEY.

Optional

Alias: -e

Create policy within enclave.

Optional

Alias: -k

Skip server certificate verification.

Policies define access control rules using JSON with allow and deny sections. Each section maps policy actions (like KEY:CREATE, POLICY:ASSIGN) to resource name patterns.

For complete information on policy structure, supported actions, and pattern matching, see Access Control.

Create a policy named readonly-policy from a JSON file:

minkms add-policy readonly-policy /path/to/policy.json

Create a policy within the production enclave:

minkms add-policy app-policy /path/to/policy.json --enclave production

The following policy file grants read-only access to keys, allowing encryption and decryption operations:

{
  "allow": {
    "KEY:STATUS": ["*"],
    "KEY:LIST": ["*"],
    "KEY:LISTVERSIONS": ["*"],
    "KEY:ENCRYPT": ["*"],
    "KEY:DECRYPT": ["*"]
  },
  "deny": {}
}

Save this to readonly-policy.json and create the policy:

minkms add-policy readonly-policy readonly-policy.json

For additional policy examples including application-specific key management and restricted access patterns, see Access Control.

Creating a new policy requires enclave admin or SysAdmin privileges.