Document KMS policy options

[marktheunissen]

These actions:

• admin:KMSCreateKey
• admin:KMSKeyStatus

... are documented on this page, however it's missing the kms actions from here: https://github.com/minio/pkg/blob/main/policy/kms-action.go

The MinIO server currently obeys the following:

• KMSStatusAction kms:Status
• KMSMetricsAction kms:Metrics
• KMSAPIAction kms:API
• KMSVersionAction kms:Version
• KMSCreateKeyAction kms:CreateKey
• KMSListKeysAction kms:ListKeys
• KMSKeyStatusAction kms:KeyStatus

This PR: minio/minio#20079 added the ability for those KMS actions to be restricted by resource name (with wildcard support). There is an example policy on the PR description.

There is a bit of "overlap" of functionality here between the two "admin" kms actions and the "kms" actions, I believe they are separate API endpoints but it might be worth double checking the history of these.

This ticket is to document the kms actions and how they can be used, since these are MinIO specific.

[ravindk89]

Hm - are these perhaps related to MinKMS specifically @aead ?

If so we need to discuss if these envvars belong here or in the MinIO Enterprise docs, as the expectation is that MinKMS-related configs should apply only to Enterprise MinIO binary

[ravindk89]

@aead @zveinn ping on the above!