S3 service configuration - Access/Secret keys?

[danb35]

So I'm looking to use my FreeNAS box to provide S3 storage for some of my other local systems, and I'm a little stuck on the configuration of that service, particularly with respect too the access key and secret key. Obviously, the place to start is to RTFM--but unfortunately, TFM is 100% not helpful here. It says, in toto:

And the links are to AWS documentation, with information like this:

But I've used S3 storage, both with AWS and also with DigitalOcean. With both of those providers, they'll programmatically generate these keys on request (and they're both long and apparently-random, as indicated above), as many key sets as desired--but there's no facility to do this that I can find on FreeNAS, and apparently the entire service uses only one set of keys to authenticate.

So what do I put in these fields? This thread indicates that their contents can only be alphanumeric (which is more restrictive than AWS). This thread (closed for some reason) suggests that they are simply a username and password. Is that it? Are there length minima? Maxima? Is there any necessary relationship between the two? Are there complexity requirements? If FreeNAS isn't going to include a generator (which it seems like it should, at least for optional use), all of this ought to be documented, and the link to the AWS docs is useless for that purpose.

 

[Samuel Tai]

Upstream MinIO doesn't appear to have a key generator. What I think most of us do is use AWS to generate, and then cut & paste into the S3 service, which is how I found the alphanumeric restriction with the current implementation.

 

[danb35]

Upstream MinIO doesn't appear to have a key generator.

Poking around in their docs, I'm not seeing it either. But it also appears that they aren't very picky about the format of those keys:

...and given that, it seems that this:

use AWS to generate, and then cut & paste into the S3 service

grossly overcomplicates the process. Why not just use your preferred password manager (or any other method you like) to generate random alphanumeric strings of whatever length you like? I'm trying it with 20-char-long strings for both, the service takes them and happily starts, and so does a local Discourse instance I want to try to back up there.

 

[Samuel Tai]

The full MinIO also allows S3 gateway functions. I don't know if the FreeNAS implementation has this functionality or not, but it seems prudent to match AWS if it does.

 

[danb35]

The full MinIO also allows S3 gateway functions. I don't know if the FreeNAS implementation has this functionality or not,

You may not know, but you can easily determine. There are two questions:

• Do the binaries that ship with FreeNAS support this, and if so,
• Do the GUI and the middleware support it?

As to the latter question, the answer is a clear and obvious "no"--there's simply no place in the GUI to tell it to connect to another S3 instance (and certainly no place to enter the endpoint URL). The devs' intent for connecting to another S3 instance appears to be through the Cloud Sync feature, which uses rclone. As to the former question, the answer would appear to be an equally clear and obvious "yes", because it's the same minio binary that would provide this function as the NAS gateway function. And a simple test confirms this:

Code:

root@freenas2[~]# export MINIO_ACCESS_KEY="(REDACTED)"
root@freenas2[~]# export MINIO_SECRET_KEY="(REDACTED)"
root@freenas2[~]# minio gateway s3 https://ams3.digitaloceanspaces.com
Endpoint:  http://192.168.1.68:9000  http://192.168.1.10:9000  http://127.0.0.1:9000 
AccessKey: (REDACTED)
SecretKey: (REDACTED)

Browser Access:
   http://192.168.1.68:9000  http://192.168.1.10:9000  http://127.0.0.1:9000 

Command-line Access: https://docs.min.io/docs/minio-client-quickstart-guide
   $ mc config host add mys3 http://192.168.1.68:9000 REDACTED REDACTED

Object API (Amazon S3 compatible):
   Go:         https://docs.min.io/docs/golang-client-quickstart-guide
   Java:       https://docs.min.io/docs/java-client-quickstart-guide
   Python:     https://docs.min.io/docs/python-client-quickstart-guide
   JavaScript: https://docs.min.io/docs/javascript-client-quickstart-guide
   .NET:       https://docs.min.io/docs/dotnet-client-quickstart-guide

...and browsing to the "browser access" URL and logging in with the keys (which were the keys generated by DO) gives this:

...so it's clearly seeing what's on that remote host.

(and yes, I realize I inadvertently posted live credentials--they've been revoked)

Edit: In addition, the Minio client works as well, though it's called minio-client rather than mc to avoid conflicts with Midnight Commander. I'm able to use it on one FreeNAS box to connect to the S3 service on another, list and create files, etc.

 

[sbickle]

Did anyone solve this? Its not about generating passswords for S3 keys. AWS auto-generates credentials for programatic access and these keys are long and always have special characters, they are designed to be secure. The issue is why does the configuration page check for funky characters and not allow a valid AWS Key to be input.

As a workaround, does anybody know where they S3 credentials are stored on the filesytem, I'm happy to input them there and bypass the webpage.