Re: How to use STS Lite correctly?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There are two steps that have to be performed before calling AssumeRole:

1. A role named S3Access needs to be created to which it is mandatory to attach an assume role policy document. For example,

radosgw-admin role create --role-name=S3Access --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}

2. A permission policy needs to be attached to the role, to allow all s3 operations using the temporary creds returned by the Assume role call. For example,

radosgw-admin role-policy put --role-name=S3Access --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}

The documentation for above is at: http://docs.ceph.com/docs/master/radosgw/role/

Thanks,
Pritha

On Mon, Mar 4, 2019 at 4:48 PM myxingkong <admin@xxxxxxxxxxx> wrote:

I want to use the STS service to generate temporary credentials for use by third-party clients.

I configured STS lite based on the documentation.

This is my configuration file:

[global]
fsid = 42a7cae1-84d1-423e-93f4-04b0736c14aa
mon_initial_members = admin, node1, node2, node3
mon_host = 192.168.199.81,192.168.199.82,192.168.199.83,192.168.199.84
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx

osd pool default size = 2

[client.rgw.admin]
rgw sts key = "1234567890"
rgw s3 auth use sts = true

When I execute the getSessionToken method, return a 403 error:

<Error>
<Code>AccessDenied</Code>
<RequestId>tx00000000000000000000d-005c7d07ed-3a3c-default</RequestId>
<HostId>3a3c-default-default</HostId>
</Error>

try:
    access_key = '2324YFZ7QDEOSRL18QHR'
    secret_key = 'rL9FabxCOw5LDbrHtmykiGSCjzpKLmEs9WPiNjVJ'

    client = boto3.client('sts',
                          aws_access_key_id = access_key,
                          aws_secret_access_key = secret_key,
                          endpoint_url = host)
    response = client.assume_role(
        RoleArn='arn:aws:iam:::role/application_abc/component_xyz/S3Access',
        RoleSessionName='Bob',
        DurationSeconds=3600
    )
    print response
except:
    print traceback.format_exc()

Who can tell me if my configuration or code is wrong?

My version of ceph is: ceph version 14.1.0 (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux