notify_nats rejects MINIO_NOTIFY_NATS_USER_CREDENTIALS (JWT creds file path) on pgsty/minio:latest
Summary
notify_nats config on pgsty/minio:latest rejects MINIO_NOTIFY_NATS_USER_CREDENTIALS as an invalid key, which blocks JWT creds-file based NATS auth for MinIO event notifications.
This appears to break compatibility with environments using NATS operator/accounts + .creds auth for MinIO publishers.
Why this matters
In NATS JWT deployments, MinIO often authenticates with a user credentials file (not username/password/token). If MINIO_NOTIFY_NATS_USER_CREDENTIALS is rejected, MinIO cannot be configured to publish bucket notifications into secured NATS clusters using creds-file auth.
Environment
- OS: macOS (Apple Silicon)
- MinIO image under test:
pgsty/minio:latest
- NATS: 3-node cluster using JWT operator/accounts and user
.creds
- MinIO admin tool:
minio/mc:latest
Reproduction (clean)
-
Start MinIO + NATS with JWT creds mounted into MinIO at /jwt.
-
Configure notify_nats with a creds file:
mc admin config set us notify_nats:FITCHECK \
address=nats-1:4222 \
subject=events.object.created \
MINIO_NOTIFY_NATS_USER_CREDENTIALS=/jwt/creds/minio_notifier.creds \
jetstream=off \
queue_dir=/data/queue-fitcheck \
queue_limit=100000
- Observe the response.
Actual result
The command fails with invalid keys. Exact observed error:
mc: <ERROR> Unable to set 'notify_nats:FITCHECK address=nats-1:4222 subject=events.object.created MINIO_NOTIFY_NATS_USER_CREDENTIALS=/jwt/creds/minio_notifier.creds jetstream=off queue_dir=/data/queue-fitcheck queue_limit=100000' to server: found invalid keys (MINIO_NOTIFY_NATS_USER_CREDENTIALS=/jwt/creds/minio_notifier.creds nkey_seed= tls_handshake_first=off ) for 'notify_nats:ONE' sub-system, use 'mc admin config reset myminio notify_nats:ONE' to fix invalid keys.
Also, mc admin config get us notify_nats shows keyspace without credentials-file support (username/password/token only), confirming parser/help mismatch for JWT creds-file auth.
Expected result
notify_nats should accept and persist creds-file based auth key:
MINIO_NOTIFY_NATS_USER_CREDENTIALS
and allow restart-based apply flow:
mc admin config set ...
- restart MinIO
mc event add ... arn:minio:sqs::<id>:nats
- events publish successfully to NATS using the creds file.
Scope requested
- Add/restore support for
MINIO_NOTIFY_NATS_USER_CREDENTIALS in notify_nats config parsing/validation/help/defaults.
- Ensure
mc admin config set does not reject the key as invalid.
- Preserve backward compatibility with existing
username/password/token modes.
Optional compatibility additions
If intentional in pgsty fork policy, please clarify in docs that creds-file auth is unsupported. Otherwise, enabling this key would restore compatibility with common JWT-based NATS deployments.
Notes
I can provide a small patch/PR for this if maintainers agree with scope.
notify_nats rejects MINIO_NOTIFY_NATS_USER_CREDENTIALS (JWT creds file path) on pgsty/minio:latest
Summary
notify_natsconfig onpgsty/minio:latestrejectsMINIO_NOTIFY_NATS_USER_CREDENTIALSas an invalid key, which blocks JWT creds-file based NATS auth for MinIO event notifications.This appears to break compatibility with environments using NATS operator/accounts +
.credsauth for MinIO publishers.Why this matters
In NATS JWT deployments, MinIO often authenticates with a user credentials file (not username/password/token). If
MINIO_NOTIFY_NATS_USER_CREDENTIALSis rejected, MinIO cannot be configured to publish bucket notifications into secured NATS clusters using creds-file auth.Environment
pgsty/minio:latest.credsminio/mc:latestReproduction (clean)
Start MinIO + NATS with JWT creds mounted into MinIO at
/jwt.Configure
notify_natswith a creds file:mc admin config set us notify_nats:FITCHECK \ address=nats-1:4222 \ subject=events.object.created \ MINIO_NOTIFY_NATS_USER_CREDENTIALS=/jwt/creds/minio_notifier.creds \ jetstream=off \ queue_dir=/data/queue-fitcheck \ queue_limit=100000Actual result
The command fails with invalid keys. Exact observed error:
Also,
mc admin config get us notify_natsshows keyspace without credentials-file support (username/password/tokenonly), confirming parser/help mismatch for JWT creds-file auth.Expected result
notify_natsshould accept and persist creds-file based auth key:MINIO_NOTIFY_NATS_USER_CREDENTIALSand allow restart-based apply flow:
mc admin config set ...mc event add ... arn:minio:sqs::<id>:natsScope requested
MINIO_NOTIFY_NATS_USER_CREDENTIALSin notify_nats config parsing/validation/help/defaults.mc admin config setdoes not reject the key as invalid.username/password/tokenmodes.Optional compatibility additions
If intentional in pgsty fork policy, please clarify in docs that creds-file auth is unsupported. Otherwise, enabling this key would restore compatibility with common JWT-based NATS deployments.
Notes
I can provide a small patch/PR for this if maintainers agree with scope.