Skip to content
This repository was archived by the owner on Mar 20, 2026. It is now read-only.
This repository was archived by the owner on Mar 20, 2026. It is now read-only.

ServerInfo / fetchKMSStatus: "insufficient permissions to perform KMS operation" when KES policy allows MINIO_KES_IDENTITY – object encryption/decryption works #2509

Open
Open
ServerInfo / fetchKMSStatus: "insufficient permissions to perform KMS operation" when KES policy allows MINIO_KES_IDENTITY – object encryption/decryption works#2509
Labels
communitytriage
@apostolopo08

Description

@apostolopo08
apostolopo08
opened on Mar 3, 2026

Environment:
MinIO version: RELEASE.2025-04-08T15-41-24Z
MinIO Operator: v5.0.11
KES version: 2025-03-12T09-35-18Z
KES backend: HashiCorp Vault (external)
Deployment: Kubernetes (Tanzu), distributed mode, 4 nodes
Encryption: SSE-KMS via KES, key cbam-minio-vault-kes
Description
MinIO logs "insufficient permissions to perform KMS operation" during ServerInfo and IAM load, while object encryption and decryption work correctly.
Steps to reproduce
Deploy MinIO Tenant with KES + Vault (external).
Configure KES policy with identities: [${MINIO_KES_IDENTITY}] and allow /v1/key/create/, /v1/key/generate/, /v1/key/decrypt/, /v1/key/bulk/decrypt/.
Enable bucket encryption with SSE-KMS.
Upload and download objects (works).
Open MinIO Console or wait for IAM periodic sync.
Expected behavior
No KMS-related errors in MinIO logs.
ServerInfo/KMS status shown correctly in Console.
IAM cache loads without decryption errors.
Actual behavior
Two recurring errors:

  1. ServerInfo (Console):
    API: ServerInfoError: insufficient permissions to perform KMS operation (kms.Error) GetObject="name=buckets/.usage-cache.bin,pool=1,set=1" 4: cmd/admin-handlers.go:3076:cmd.fetchKMSStatus() 3: cmd/admin-handlers.go:2461:cmd.getServerInfo()
  2. IAM load:
    API: SYSTEM.iamError: failed to decrypt ciphertext with KMS key: failed to read key (kms.Error) 4: cmd/iam-object-store.go:797:cmd.(*IAMObjectStore).loadAllFromObjStore() 3: cmd/iam-store.go:656:cmd.(*IAMStoreSys).LoadIAMCache()
    What works
    Object upload/download with SSE-KMS
    mc admin kms key status shows Encryption ✔ Decryption ✔
    mc stat shows SSE-KMS (arn:aws:kms:cbam-minio-vault-kes) on objects
    KES creates and uses the key in Vault
    mc encrypt info shows bucket auto-encryption with correct KeyID

Additional context
Occurs only with external Vault; not seen in environments where we manage Vault.
Vault AppRole credentials are valid and tested manually.
KES admin is disabled (admin: identity: disabled).
MinIO pods use mTLS to KES via minio-tenant-client-tls.
Question
Is there a different identity or permission needed for fetchKMSStatus (usage-cache) and IAM load than for normal object encrypt/decrypt? If so, how should the KES policy be updated?

Metadata

Metadata

Assignees

No one assigned

    Labels

    communitytriage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions