It would be the second one:
arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
Thanks,
Pritha
On Thu, May 13, 2021 at 3:54 PM Daniel Iwan <iwan.daniel@xxxxxxxxx> wrote:
> Hi Pritha
>
> This is probably the only combination I haven't tried.
> I was convinced it would have to be $oidc$
> It worked brilliantly with the arn you suggested, thank you for that.
>
> So does it mean that for a non-empty tenant we would have tenant name twice
> like
>
> arn:aws:iam::mytenant:user/mytenant$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
>
> or would it be a single tenant name?
> arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
>
> If it's the second one, it relies on the fact that IDs are unique, which in
> turns depends on the sub field in the token.
>
> Regards
> Daniel
>
> On Wed, 12 May 2021 at 13:31, Pritha Srivastava <prsrivas@xxxxxxxxxx>
> wrote:
>
> > Hi,
> >
> > Can you try with the following ARN:
> >
> > arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
> >
> > The format of the user id is: <tenant>$<user-namespace>$<sub> , and in
> > $oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b, the '$' before oidc is a
> > separator for a tenant which is empty here, and ARN for a user is of the
> > format: arn:aws:iam::<tenant>:user/<user-id>, and hence the ARN here will
> > be arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
> > Thanks,
> > Pritha
> >
> > On Wed, May 12, 2021 at 4:02 PM Daniel Iwan <iwan.daniel@xxxxxxxxx>
> wrote:
> >
> >> Hi all
> >>
> >> I'm working on the following scenario
> >> User is authenticated with OIDC and tries to access a bucket which it
> does
> >> not own.
> >> How to specify user ID etc. to give access to such a user?
> >>
> >> By trial and error I found out that principal can be specified as
> >> "Principal": {"Federated":["arn:aws:sts:::assumed-role/MySession"]},
> >>
> >> but I want to use shadow user ID or something similar as the principal
> >>
> >> Docs
> >> https://docs.ceph.com/en/latest/radosgw/STS/
> >> states:
> >> 'A shadow user is created corresponding to every federated user. The
> user
> >> id is derived from the ‘sub’ field of the incoming web token. The user
> is
> >> created in a separate namespace - ‘oidc’ such that the user id doesn’t
> >> clash with any other user ids in rgw. The format of the user id is -
> >> <tenant>$<user-namespace>$<sub> where user-namespace is ‘oidc’ for users
> >> that authenticate with oidc providers.'
> >>
> >> I see a shadow user in Web UI as e.g.
> 7f71c7c5-c24f-418e-87ac-aa8fe271289b
> >> but I cannot work out the syntax of a user id, I was expecting something
> >> like
> >>
> >> "arn:aws:iam:::user/$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b"
> >>
> >> but when trying to list content of a bucket I get AccessDenied.
> >> If bucket policy has Principal "*" the my authenticated user can access
> >> the
> >> bucket
> >>
> >> Is this possible?
> >> Regards
> >> Daniel
> >> _______________________________________________
> >> ceph-users mailing list -- ceph-users@xxxxxxx
> >> To unsubscribe send an email to ceph-users-leave@xxxxxxx
> >>
> >
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
