How to find a customer's bucket credentials

A customer asks "what were my access keys again?" Here's how to look up their bucket, endpoint, and access key from the ImpulseMinio admin.

Last updated 20 days ago

How to find a customer's bucket credentials

When you'd do this

A support ticket comes in. The customer has lost their access keys, switched machines, or just wants to confirm what's on file. You need to surface the bucket name, endpoint URL, and access key/secret without losing the audit trail.

Where the credentials live

ImpulseMinio creates one or more S3 access keys per service when the bucket is provisioned. Secrets are stored encrypted via ImpulseCore's secret storage β€” they sit in mod_impulsecore_secrets referenced by the service row in mod_impulseminio_services. The admin reveal path decrypts on demand and writes an audit-log entry.

The non-secret values (bucket name, endpoint URL, access key ID) live in plain columns on the service row.

Steps

  1. Open the WHMCS service. In WHMCS admin, find the customer's service β€” the fastest way is to search by domain, email, or service ID. Open it.
  2. Go to the Module tab on the service. ImpulseMinio renders an admin panel here showing:
    • Bucket name and full S3 endpoint URL.
    • Region.
    • The plan and its quotas.
    • Per-access-key rows with the key ID visible and a Reveal Secret button.
  3. Click Reveal Secret on the access key the customer needs. The addon prompts for confirmation (the reveal is logged with your admin username), then displays the secret. The audit log under ImpulseCore captures the event as impulseminio.secret.revealed with the service ID, key ID, and your admin user.
  4. If the Module tab isn't loading, fall back to SQL. The bucket and key ID are non-secret:
SELECT s.id, s.bucket_name, s.endpoint_url, s.region, k.access_key_id, k.secret_ref FROM mod_impulseminio_services s LEFT JOIN mod_impulseminio_access_keys k ON k.service_id = s.id WHERE s.service_id = <whmcs-service-id>;

The secret_ref column is a pointer into mod_impulsecore_secrets. Don't try to decrypt manually β€” use the addon's Reveal button so the access is audit-logged. If the addon UI is completely broken, regenerating a new key pair via Tools then Reset Access Keys is faster than chasing the cipher path.

  1. Send the customer to their client area instead, where possible. ImpulseDrive's client-area panel exposes the bucket name, endpoint, and a self-serve "regenerate access keys" button. For routine "I lost my keys" tickets, pointing customers there avoids the audit-log entry on your side and is faster end-to-end.

A note on rotating keys

If the customer suspects their keys were leaked, don't reveal the existing secret β€” regenerate. The admin panel has a Generate New Access Key action that creates a new pair and (optionally) revokes the old one on the MinIO side. This is the recommended response to any leak report.

Related