Hello, rgw sts key should be a key of length 16 since we use AES 128 for encryption (e.g. rgw sts key = abcdefghijklmnop) Yes it should be 'sts_client' and not 'client'. The errors in documentation have been noted and will be corrected. Also please note that the backport to octopus of the new changes is underway (https://github.com/ceph/ceph/pull/37640), and this should be available in the next Octopus release. Thanks, Pritha On Tue, Oct 13, 2020 at 9:22 PM <technical@xxxxxxxxxxxxxxxxx> wrote: > Hi Pritha and thanks for your reply. We are using Ceph Octopus and we have > switched to Keycloak from dexIdP. > > Having said that we have followed the guide from > https://docs.ceph.com/en/octopus/radosgw/STS/ but we are constantly > having an issue with the AssumeRoleWithWebIdentity example. > > We are using 2 different accounts for role creation and policy creation > and those 2 parts of the example script are working fine but when we move > over to the assume_role_with_web_identity part we have forbidden error from > Ceph. > > We have used cephadm to install Ceph which is at: > # ceph --version > ceph version 15.2.5 (2c93eff00150f0cc5f106a559557a58d3d7b6f1f) octopus > (stable) > > We used the following command to add the role capabilities for both users: > radosgw-admin caps add --uid="TESTER" --caps="roles=*" > radosgw-admin caps add --uid="TESTER1" --caps="roles=*" > > We have set the capabilities for the 2 users mentioned above as shown here: > buckets (*) > metadata (*) > roles (*) > usage (*) > user-policy (*) > users (*) > zone (*) > > --- > > Can you please confirm that the key values have actually spaces in them or > are they missing an underscore? > [client.radosgw.gateway] > rgw sts key = {sts key for encrypting the session token} > rgw s3 auth use sts = true > > --- > > We are also getting "NameError: name 'client' is not defined" error from > AssumeRoleWithWebIdentity example in this part shown below. Shouldn't it be > "sts_client.assume_role_with_web_identity" from > "client.assume_role_with_web_identity" as it is being defined as sts_client > in the code above it? > > sts_client = boto3.client('sts', > aws_access_key_id=<access_key of TESTER1>, > aws_secret_access_key=<secret_key of TESTER1>, > endpoint_url=<STS URL>, > region_name='', > ) > > response = client.assume_role_with_web_identity( > RoleArn=role_response['Role']['Arn'], > RoleSessionName='Bob', > DurationSeconds=3600, > WebIdentityToken=<Web Token> > ) > > Can you or anyone give us some pointers to this issue please? > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx