Hi,
Is the ACCESSKEY_STRING and SECRETKEY_STRING of user trying to assume role
'S3Access' same as that of user 'sr'? (that is the user specified in the
assume_role_policy_document)
Thanks,
Pritha
On Sun, Mar 8, 2020 at 7:54 PM 曹 海旺 <caohaiwang@xxxxxxxxxxx> wrote:
> Hi ,I want to use the sts to get a temporary credentials,but I got 403 .
>
> The user info :
> {
> "user_id": "sr",
> "display_name": "shiran",
> "email": "",
> "suspended": 0,
> "max_buckets": 1000,
> "subusers": [],
> "keys": [
> {
> "user": "sr",
> "access_key": "FBGYU7CUBUACP2OYBE76",
> "secret_key": "RoovZBBNdlOvVS4LzuuuCsZ1QPA6W81mbNXvonYD"
> }
> ],
> "swift_keys": [],
> "caps": [
> {
> "type": "roles",
> "perm": "*"
> },
> {
> "type": "user-policy",
> "perm": "*"
> }
> ],
> "op_mask": "read, write, delete",
> "default_placement": "",
> "default_storage_class": "",
> "placement_tags": [],
> "bucket_quota": {
> "enabled": false,
> "check_on_raw": false,
> "max_size": -1,
> "max_size_kb": 0,
> "max_objects": -1
> },
> "user_quota": {
> "enabled": false,
> "check_on_raw": false,
> "max_size": -1,
> "max_size_kb": 0,
> "max_objects": -1
> },
> "temp_url_keys": [],
> "type": "rgw",
> "mfa_ids": []
> }
>
>
> and the role info :
>
> {
> "id": "c983c0df-a49c-4e36-957d-7d709f65e292",
> "name": "S3Access",
> "path": "/application_abc/component_xyz/",
> "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access",
> "create_date": "2020-03-04T08:19:41.24Z",
> "max_session_duration": 3600,
> "assume_role_policy_document":
> "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/sr\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
> },
>
> I use AWA java sdk to AssumeRole ,code like:
>
>
>
> public static final String ACCESSKEY_STRING = “xxxxxxxxxxxxxx";
> public static final String BUCKETNAME_STRING = "osstest";
> public static final String SECRETKEY_STRING = “xxxxxxxxxxxxxxxxxxxxx";
>
> public static final String ENDPOINT_STRING = "http://192.168.3.250”;//
> haproxy
>
>
> String clientRegion = ENDPOINT_STRING;
> String roleARN =
> "arn:aws:iam:::role/application_abc/component_xyz/S3Access";
> String roleSessionName = "bob";
> String bucketName = ENDPOINT_STRING;
>
> AWSCredentials credentials = new BasicAWSCredentials(ACCESSKEY_STRING,
> SECRETKEY_STRING);
> ClientConfiguration clientConfig = new ClientConfiguration();
>
> clientConfig.setProtocol(Protocol.HTTP);
> clientConfig.setSignerOverride("AWS3SignerType");
>
> AWSSecurityTokenService sts_client =
> AWSSecurityTokenServiceClientBuilder.standard()
> .withEndpointConfiguration(new
> AwsClientBuilder.EndpointConfiguration(ENDPOINT_STRING, ""))
> .withCredentials(new
> AWSStaticCredentialsProvider(credentials)).withClientConfiguration(clientConfig)
> .build();
> GetSessionTokenRequest session_token_request = new
> GetSessionTokenRequest();
> AssumeRoleRequest roleRequest = new AssumeRoleRequest()
> .withRoleArn(roleARN)
> .withRoleSessionName(roleSessionName).withTokenCode("sts");
> session_token_request.setDurationSeconds(3600);
> AssumeRoleResult roleResponse = sts_client.assumeRole(roleRequest);
> Credentials sessionCredentials = roleResponse.getCredentials();
>
>
> I got the response:
>
> <?xml version="1.0"
> encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000016-005e64fa9e-b5b47-default</RequestId><HostId>b5b47-default-default</HostId></Error>"
>
> The debug info in the log file like this :
>
>
> 1 ====== starting new request req=0x5592abefc910 =====
> 2020-03-08 22:01:02.984 7f2548f95700 2 req 22 0.000s initializing for
> trans_id = tx000000000000000000016-005e64fa9e-b5b47-default
> 2020-03-08 22:01:02.984 7f2548f95700 10 rgw api priority: s3=7 s3website=6
> 2020-03-08 22:01:02.984 7f2548f95700 10 host=rgw1
> 2020-03-08 22:01:02.984 7f2548f95700 20 subdomain= domain=
> in_hosted_domain=0 in_hosted_domain_s3website=0
> 2020-03-08 22:01:02.984 7f2548f95700 20 final domain/bucket subdomain=
> domain= in_hosted_domain=0 in_hosted_domain_s3website=0 s->info.domain=
> s->info.request_uri=/
> 2020-03-08 22:01:02.984 7f2548f95700 10 meta>> HTTP_X_AMZ_DATE
> 2020-03-08 22:01:02.984 7f2548f95700 10 meta>> HTTP_X_AMZN_AUTHORIZATION
> 2020-03-08 22:01:02.984 7f2548f95700 10 x>> x-amz-date:Sun, 08 Mar 2020
> 14:01:02 GMT
> 2020-03-08 22:01:02.984 7f2548f95700 10 x>> x-amzn-authorization:AWS3
> AWSAccessKeyId=FBGYU7CUBUACP2OYBE76,Algorithm=HmacSHA256,SignedHeaders=Host;X-Amz-Date,Signature=D7p74AFsJn4J823e6Up4Zo2eRV/n5PFmyQ2/w+kOaqY=
> 2020-03-08 22:01:02.984 7f2548f95700 20 get_handler
> handler=26RGWHandler_REST_Service_S3
> 2020-03-08 22:01:02.984 7f2548f95700 10
> handler=26RGWHandler_REST_Service_S3
> 2020-03-08 22:01:02.984 7f2548f95700 2 req 22 0.000s getting op 4
> 2020-03-08 22:01:02.984 7f2548f95700 10 Content of POST:
> Action=AssumeRole&Version=2011-06-15&RoleArn=arn%3Aaws%3Aiam%3A%3A%3Arole%2Fapplication_abc%2Fcomponent_xyz%2FS3Access&RoleSessionName=bob&SerialNumber=sdfsdf&TokenCode=sts
> 2020-03-08 22:01:02.984 7f2548f95700 10 Key: ActionValue: AssumeRole
> 2020-03-08 22:01:02.984 7f2548f95700 10 Key: VersionValue: 2011-06-15
> 2020-03-08 22:01:02.984 7f2548f95700 10 Key: RoleArnValue:
> arn:aws:iam:::role/application_abc/component_xyz/S3Access
> 2020-03-08 22:01:02.984 7f2548f95700 10 Key: RoleSessionNameValue: bob
> 2020-03-08 22:01:02.984 7f2548f95700 10 Key: SerialNumberValue: sdfsdf
> 2020-03-08 22:01:02.984 7f2548f95700 10 Key: TokenCodeValue: sts
> 2020-03-08 22:01:02.984 7f2548f95700 10 req 22 0.000s sts:assume_role
> scheduling with dmclock client=0 cost=1
> 2020-03-08 22:01:02.984 7f2548f95700 10 op=16RGWSTSAssumeRole
> 2020-03-08 22:01:02.984 7f2548f95700 2 req 22 0.000s sts:assume_role
> verifying requester
> 2020-03-08 22:01:02.984 7f2548f95700 20 req 22 0.000s sts:assume_role
> rgw::auth::StrategyRegistry::s3_main_strategy_t: trying
> rgw::auth::s3::AWSAuthStrategy
> 2020-03-08 22:01:02.984 7f2548f95700 20 req 22 0.000s sts:assume_role
> rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine
> 2020-03-08 22:01:02.984 7f2548f95700 20 req 22 0.000s sts:assume_role
> rgw::auth::s3::S3AnonymousEngine granted access
> 2020-03-08 22:01:02.984 7f2548f95700 20 req 22 0.000s sts:assume_role
> rgw::auth::s3::AWSAuthStrategy granted access
> 2020-03-08 22:01:02.984 7f2548f95700 2 req 22 0.000s sts:assume_role
> normalizing buckets and tenants
> 2020-03-08 22:01:02.984 7f2548f95700 10 s->object=<NULL> s->bucket=
> 2020-03-08 22:01:02.984 7f2548f95700 2 req 22 0.000s sts:assume_role init
> permissions
> 2020-03-08 22:01:02.985 7f2548f95700 20 get_system_obj_state:
> rctx=0x5592abefb400 obj=default.rgw.meta:users.uid:anonymous
> state=0x5592aa8d99c0 s->prefetch_data=0
> 2020-03-08 22:01:02.985 7f2548f95700 10 cache get:
> name=default.rgw.meta+users.uid+anonymous : type miss (requested=0x6,
> cached=0x0)
> 2020-03-08 22:01:02.985 7f2548f95700 20 WARNING: blocking librados call
> 2020-03-08 22:01:02.985 7f2548f95700 1 -- 192.168.3.247:0/1491423941 -->
> [v2:192.168.3.244:6800/2853,v1:192.168.3.244:6801/2853] --
> osd_op(unknown.0.0:159377 3.0 3:0ab27964:users.uid::anonymous:head
> [getxattrs,stat] snapc 0=[] ondisk+read+known_if_redirected e282) v8 --
> 0x5592abea3b80 con 0x5592ab6acc00
> 2020-03-08 22:01:02.985 7f2593ab4700 1 -- 192.168.3.247:0/1491423941 <==
> osd.5 v2:192.168.3.244:6800/2853 4 ==== osd_op_reply(159377 anonymous
> [getxattrs,stat] v0'0 uv0 ondisk = -2 ((2) No such file or directory)) v8
> ==== 195+0+0 (crc 0 0 0) 0x5592abda1400 con 0x5592ab6acc00
> 2020-03-08 22:01:02.985 7f2548f95700 10 cache put:
> name=default.rgw.meta+users.uid+anonymous info.flags=0x0
> 2020-03-08 22:01:02.985 7f2548f95700 10 moving
> default.rgw.meta+users.uid+anonymous to cache LRU end
> 2020-03-08 22:01:02.985 7f2548f95700 2 req 22 0.001s sts:assume_role
> recalculating target
> 2020-03-08 22:01:02.985 7f2548f95700 2 req 22 0.001s sts:assume_role
> reading permissions
> 2020-03-08 22:01:02.985 7f2548f95700 2 req 22 0.001s sts:assume_role init
> op
> 2020-03-08 22:01:02.985 7f2548f95700 2 req 22 0.001s sts:assume_role
> verifying op mask
> 2020-03-08 22:01:02.985 7f2548f95700 20 req 22 0.001s sts:assume_role
> required_mask= 0 user.op_mask=7
> 2020-03-08 22:01:02.985 7f2548f95700 2 req 22 0.001s sts:assume_role
> verifying op permissions
> 2020-03-08 22:01:02.985 7f2548f95700 20 get_system_obj_state:
> rctx=0x5592abefb7f0 obj=default.rgw.meta:roles:role_names.S3Access
> state=0x5592aa8d99c0 s->prefetch_data=0
> 2020-03-08 22:01:02.985 7f2548f95700 10 cache get:
> name=default.rgw.meta+roles+role_names.S3Access : type miss (requested=0x6,
> cached=0x3)
> 2020-03-08 22:01:02.985 7f2548f95700 20 WARNING: blocking librados call
> 2020-03-08 22:01:02.985 7f2548f95700 1 -- 192.168.3.247:0/1491423941 -->
> [v2:192.168.3.245:6808/2863,v1:192.168.3.245:6809/2863] --
> osd_op(unknown.0.0:159378 3.3 3:c86e03bb:roles::role_names.S3Access:head
> [getxattrs,stat] snapc 0=[] ondisk+read+known_if_redirected e282) v8 --
> 0x5592abf18000 con 0x5592ab6ad400
> 2020-03-08 22:01:02.986 7f2593ab4700 1 -- 192.168.3.247:0/1491423941 <==
> osd.8 v2:192.168.3.245:6808/2863 3 ==== osd_op_reply(159378
> role_names.S3Access [getxattrs,stat] v0'0 uv4 ondisk = 0) v8 ==== 205+0+20
> (crc 0 0 0) 0x5592abda1400 con 0x5592ab6ad400
> 2020-03-08 22:01:02.986 7f2548f95700 10 cache put:
> name=default.rgw.meta+roles+role_names.S3Access info.flags=0x6
> 2020-03-08 22:01:02.986 7f2548f95700 10 moving
> default.rgw.meta+roles+role_names.S3Access to cache LRU end
> 2020-03-08 22:01:02.986 7f2548f95700 20 get_system_obj_state: s->obj_tag
> was set empty
> 2020-03-08 22:01:02.986 7f2548f95700 10 cache get:
> name=default.rgw.meta+roles+role_names.S3Access : hit (requested=0x1,
> cached=0x7)
> 2020-03-08 22:01:02.986 7f2548f95700 20 get_system_obj_state:
> rctx=0x5592abefb7f0
> obj=default.rgw.meta:roles:roles.c983c0df-a49c-4e36-957d-7d709f65e292
> state=0x5592aa8d99c0 s->prefetch_data=0
> 2020-03-08 22:01:02.986 7f2548f95700 10 cache get:
> name=default.rgw.meta+roles+roles.c983c0df-a49c-4e36-957d-7d709f65e292 :
> type miss (requested=0x6, cached=0x3)
> 2020-03-08 22:01:02.986 7f2548f95700 20 WARNING: blocking librados call
> 2020-03-08 22:01:02.986 7f2548f95700 1 -- 192.168.3.247:0/1491423941 -->
> [v2:192.168.3.244:6800/2853,v1:192.168.3.244:6801/2853] --
> osd_op(unknown.0.0:159379 3.0
> 3:0e42bcf0:roles::roles.c983c0df-a49c-4e36-957d-7d709f65e292:head
> [getxattrs,stat] snapc 0=[] ondisk+read+known_if_redirected e282) v8 --
> 0x5592abf182c0 con 0x5592ab6acc00
> 2020-03-08 22:01:02.986 7f2593ab4700 1 -- 192.168.3.247:0/1491423941 <==
> osd.5 v2:192.168.3.244:6800/2853 5 ==== osd_op_reply(159379
> roles.c983c0df-a49c-4e36-957d-7d709f65e292 [getxattrs,stat] v0'0 uv4 ondisk
> = 0) v8 ==== 228+0+20 (crc 0 0 0) 0x5592abda1400 con 0x5592ab6acc00
> 2020-03-08 22:01:02.986 7f2548f95700 10 cache put:
> name=default.rgw.meta+roles+roles.c983c0df-a49c-4e36-957d-7d709f65e292
> info.flags=0x6
> 2020-03-08 22:01:02.986 7f2548f95700 10 moving
> default.rgw.meta+roles+roles.c983c0df-a49c-4e36-957d-7d709f65e292 to cache
> LRU end
> 2020-03-08 22:01:02.986 7f2548f95700 20 get_system_obj_state: s->obj_tag
> was set empty
> 2020-03-08 22:01:02.986 7f2548f95700 10 cache get:
> name=default.rgw.meta+roles+roles.c983c0df-a49c-4e36-957d-7d709f65e292 :
> hit (requested=0x1, cached=0x7)
> 2020-03-08 22:01:02.986 7f2548f95700 20 op->ERRORHANDLER: err_no=-1
> new_err_no=-1
> 2020-03-08 22:01:02.986 7f2548f95700 2 req 22 0.002s sts:assume_role op
> status=0
> 2020-03-08 22:01:02.986 7f2548f95700 2 req 22 0.002s sts:assume_role http
> status=403
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
