Hi Pritha and thanks again for your reply. Unfortunately we are still stuck at the AssumeRoleWithWebIdentity API call as shown below: 2020-10-14T08:24:26.314+0000 7ff6600ff700 1 ====== starting new request req=0x7ff6b69496b0 ===== 2020-10-14T08:24:26.314+0000 7ff6600ff700 2 req 7 0s initializing for trans_id = tx000000000000000000007-005f86b5ba-1e4f8-ZylaS3 2020-10-14T08:24:26.314+0000 7ff6600ff700 10 rgw api priority: s3=8 s3website=7 2020-10-14T08:24:26.314+0000 7ff6600ff700 10 host=192.168.35.28 2020-10-14T08:24:26.314+0000 7ff6600ff700 20 subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 2020-10-14T08:24:26.314+0000 7ff6600ff700 20 final domain/bucket subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 s->info.domain= s->info.request_uri=/ 2020-10-14T08:24:26.314+0000 7ff6600ff700 20 req 7 0s get_handler handler=26RGWHandler_REST_Service_S3 2020-10-14T08:24:26.314+0000 7ff6600ff700 10 handler=26RGWHandler_REST_Service_S3 2020-10-14T08:24:26.314+0000 7ff6600ff700 2 req 7 0s getting op 4 2020-10-14T08:24:26.314+0000 7ff6600ff700 10 Content of POST: Action=AssumeRoleWithWebIdentity&Version=2011-06-15&RoleArn=arn%3Aaws%3Aiam%3A%3A%3Arole%2FS3Access&RoleSessionName=KC-Client&DurationSeconds=3600&WebIdentityToken=<token_here> 2020-10-14T08:24:26.315+0000 7ff6600ff700 10 req 7 0.001000005s sts:assume_role_web_identity scheduling with dmclock client=0 cost=1 2020-10-14T08:24:26.315+0000 7ff6600ff700 10 op=31RGWSTSAssumeRoleWithWebIdentity 2020-10-14T08:24:26.315+0000 7ff6600ff700 2 req 7 0.001000005s sts:assume_role_web_identity verifying requester 2020-10-14T08:24:26.315+0000 7ff6600ff700 20 req 7 0.001000005s sts:assume_role_web_identity rgw::auth::sts::DefaultStrategy: trying rgw::auth::sts::WebTokenEngine 2020-10-14T08:24:26.315+0000 7ff6600ff700 20 req 7 0.001000005s sts:assume_role_web_identity rgw::auth::sts::WebTokenEngine denied with reason=-13 2020-10-14T08:24:26.315+0000 7ff6600ff700 5 req 7 0.001000005s sts:assume_role_web_identity Failed the auth strategy, reason=-13 2020-10-14T08:24:26.315+0000 7ff6600ff700 10 failed to authorize request 2020-10-14T08:24:26.315+0000 7ff6600ff700 1 op->ERRORHANDLER: err_no=-13 new_err_no=-13 2020-10-14T08:24:26.315+0000 7ff6600ff700 2 req 7 0.001000005s sts:assume_role_web_identity op status=0 2020-10-14T08:24:26.315+0000 7ff6600ff700 2 req 7 0.001000005s sts:assume_role_web_identity http status=403 2020-10-14T08:24:26.315+0000 7ff6600ff700 1 ====== req done req=0x7ff6b69496b0 op status=0 http_status=403 latency=0.001000005s ====== 2020-10-14T08:24:26.315+0000 7ff6600ff700 1 beast: 0x7ff6b69496b0: 192.168.35.116 - - [2020-10-14T08:24:26.315479+0000] "POST / HTTP/1.1" 403 185 - "Boto3/1.15.16 Python/3.8.5 Linux/5.4.0-48-generic Botocore/1.18.16" - 2020-10-14T08:24:26.383+0000 7ff66690c700 20 failed to read header: end of stream to get the web token we are using the below script and pasting the output in the AssumeRoleWithWebIdentity API call: #!/bin/bash KC_REALM=myrealm KC_CLIENT=rgw-app KC_CLIENT_SECRET=<string from credentials tab in KC of the client> KC_SERVER=<IP>:<port> KC_CONTEXT=auth # Request Tokens for credentials KC_RESPONSE=$( \ curl -k --no-progress-meter -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "scope=openid" \ -d "grant_type=client_credentials" \ -d "client_id=$KC_CLIENT" \ -d "client_secret=$KC_CLIENT_SECRET" \ "https://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token" \ | jq . ) KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token) echo $KC_ACCESS_TOKEN For the above token request to work we had to turn "ON" the option "Service Accounts Enabled" in the settings tab of the client I suspect that the issue is more in relation to the capabilities of the user when calling the STS engine for the AssumeRoleWithWebIdentity API call. If anyone can help... You are more than welcome :-) _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx