Hi I'm currently having a bit of an issue with setting up end user authentication and I would be thankful for any tips I could get. The general scenario is like that; end users are authorised thorough webapp and mobile app thorough keycloak. User has to be able to upload and download data using web interface and mobile app. In order to do that I need to get AssumeRoleWithWebIdentity working. I followed the steps outlined in https://docs.ceph.com/en/latest/radosgw/STS/. Following that guide I was able to get AssumeRole example to work, but not AssumeRoleWithWebIdentity. This is the behaviour I'm getting (logged in aws-cli as TESTER): Username TESTER Full name TestUser Suspended No System No Maximum buckets 1000 Capabilities oidc-provider (*) roles (*) $ aws --endpoint=http://10.10.xx.xx iam list-roles { "Roles": [ { "Path": "/", "RoleName": "S3Access", "RoleId": "d1b84ec1-cceb-4c32-a605-f208b30123e2", "Arn": "arn:aws:iam:::role/S3Access", "CreateDate": "2021-03-24T13:08:20.522Z", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": [ "arn:aws:iam:::oidc-provider/xxxxx.xxxxnt.com/auth/realms/xxxxnt" ] }, "Action": [ "sts:AssumeRoleWithWebIdentity" ], "Condition": { "StringEquals": { "xxxxx.xxxxnt.com/auth/realms/xxxxnt:app_id": "xxxxnt_xxxx_backend" } } } ] }, "MaxSessionDuration": 3600 } ] } $ aws --endpoint=http://10.10.xx.xx iam list-open-id-connect-providers { "OpenIDConnectProviderList": [ { "Arn": "arn:aws:iam:::oidc-provider/xxxxx.xxxxnt.com/auth/realms/xxxxnt" } ] } $ aws --endpoint=http://10.10.xx.xx iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam:::oidc-provider/xxxxx.xxxxnt.com/auth/realms/xxxxnt" { "Url": "https://xxxxx.xxxxnt.com/auth/realms/xxxxnt";, "ClientIDList": [ "test_ceph" ], "ThumbprintList": [ "02DC870BD9E72360C090Fxxxxxxxxxxxxxxxxxxx" ], "CreateDate": "2021-03-24T12:26:38.173Z" } $ curl -X POST https://xxxxx.xxxxnt.com/auth/realms/xxxxnt/protocol/openid-connect/token -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d "password=omitted" -d "grant_type=password" -d "client_id=test_ceph" -d "client_secret=d01eafe2-xxxx-xxxx-xxxx-xxxxxx7b7dad" {"access_token":"eyJhbGc.........tTRy1bA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbG......RU","token_type":"Bearer","not-before-policy":0,"session_state":"3a57b32a-b17c-4b29-bd68-8ce06b6bd2a8","scope":"email account ..... xxxxnt_xxxx_backend profile"} $ aws --debug --endpoint=http://10.10.xx.xx sts assume-role-with-web-identity --role-arn "arn:aws:iam:::role/S3Access" --role-session-name "test" --web-identity-token "eyJhbGc.........tTRy1bA" ..... 2021-03-25 10:17:45,309 - MainThread - botocore.parsers - DEBUG - Response body: b'<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000032-00605c5538-2cf3a-pl</RequestId><HostId>2cf3a-pl-default</HostId></Error>'| ..... An error occurred (Unknown) when calling the AssumeRoleWithWebIdentity operation: Unknown JWT token returned by keycloak contains fields "iss": "https://xxxxx.xxxxnt.com/auth/realms/flexgent";<https://xxxxx.xxxxnt.com/auth/realms/flexgent>, "aud": "xxxxnt_xxxx_backend", "azp": "test_ceph", Thumbprint was generated using example from ceph documentation (curl from jwks_uri). I'm not really sure what might be wrong, I'll be thankful for any hints - including debugging hints, because so far I'm unable to get useful logs on that. [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 0000674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości. _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |