fix: etcd IAM encryption fails due to incorrect kms.Context (#12431)

Due to incorrect KMS context constructed, we need to add
additional fallbacks and also fix the original root cause
to fix already migrated deployments.

Bonus remove double migration is avoided in gateway mode
for etcd, instead do it once in iam.Init(), also simplify
the migration by not migrating STS users instead let the
clients regenerate them.

cmd/config-encrypted.go

@@ -69,14 +69,12 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
 		return err
 	}
 
-	if encrypted {
-		if GlobalKMS != nil {
-			stat, err := GlobalKMS.Stat()
-			if err != nil {
-				return err
-			}
-			logger.Info("Attempting to re-encrypt config, IAM users and policies on MinIO with %q (%s)", stat.DefaultKey, stat.Name)
+	if encrypted && GlobalKMS != nil {
+		stat, err := GlobalKMS.Stat()
+		if err != nil {
+			return err
 		}
+		logger.Info("Attempting to re-encrypt IAM users and policies on etcd with %q (%s)", stat.DefaultKey, stat.Name)
 	}
 
 	listCtx, cancel := context.WithTimeout(ctx, 1*time.Minute)
@@ -97,15 +95,26 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
 		}
 
 		if !utf8.Valid(data) {
-			data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
+			pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
 			if err != nil {
-				return fmt.Errorf("Decrypting config failed %w, possibly credentials are incorrect", err)
+				pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
+					minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
+				})
+				if err != nil {
+					pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
+						minioMetaBucket: string(kv.Key),
+					})
+					if err != nil {
+						return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
+					}
+				}
 			}
+			data = pdata
 		}
 
 		if GlobalKMS != nil {
 			data, err = config.EncryptBytes(GlobalKMS, data, kms.Context{
-				minioMetaBucket: string(kv.Key),
+				minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
 			})
 			if err != nil {
 				return err
@@ -117,10 +126,8 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
 		}
 	}
 
-	if encrypted {
-		if GlobalKMS != nil {
-			logger.Info("Migration of encrypted config data completed. All config data is now encrypted.")
-		}
+	if encrypted && GlobalKMS != nil {
+		logger.Info("Migration of encrypted IAM config data completed. All data is now encrypted on etcd.")
 	}
 	return deleteKeyEtcd(ctx, client, backendEncryptedFile)
 }
@@ -129,14 +136,12 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, encrypted bool) error {
 	if !encrypted {
 		return nil
 	}
-	if encrypted {
-		if GlobalKMS != nil {
-			stat, err := GlobalKMS.Stat()
-			if err != nil {
-				return err
-			}
-			logger.Info("Attempting to re-encrypt config, IAM users and policies on MinIO with %q (%s)", stat.DefaultKey, stat.Name)
+	if encrypted && GlobalKMS != nil {
+		stat, err := GlobalKMS.Stat()
+		if err != nil {
+			return err
 		}
+		logger.Info("Attempting to re-encrypt config, IAM users and policies on MinIO with %q (%s)", stat.DefaultKey, stat.Name)
 	}
 
 	var marker string
@@ -175,10 +180,8 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, encrypted bool) error {
 		}
 		marker = res.NextMarker
 	}
-	if encrypted {
-		if GlobalKMS != nil {
-			logger.Info("Migration of encrypted config data completed. All config data is now encrypted.")
-		}
+	if encrypted && GlobalKMS != nil {
+		logger.Info("Migration of encrypted config data completed. All config data is now encrypted.")
 	}
 	return deleteConfig(GlobalContext, globalObjectAPI, backendEncryptedFile)
 }