Hi Marcelo, Your trust policy has an error: { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "*Main*":{ "AWS":[ "arn:aws:iam:::user/someuser" ] }, "Action":[ "sts:AssumeRole" ] } ] } In place of 'Main', use 'Principal' as you have done for the radosgw-admin role create command. Thanks, Pritha On Fri, Sep 3, 2021 at 9:30 PM Marcelo Mariano Miziara < marcelo.miziara@xxxxxxxxxxxxx> wrote: > Hello all! > > I'm having a hard time trying to get the STS to work. I want to give a > user "someuser" the ability to assumerole. I don't know if I got it wrong > how to do it, or if my json is spelled wrong. > > I've done tests on the latest versions of nautilus, octopus and pacific, > and I always get the same message. > > In RGW I added the following settings: > --------------------- > rgw_s3_auth_use_sts = true > rgw_sts_key = "abcdefghijklmnop" > --------------------- > > Then I create a user "admin-api-user", giving the following caps: > --------------------- > # radosgw-admin caps add --uid admin-api-user --caps > "users=*;buckets=*;metadata=*;usage=*;roles=*;user-policy=*" > --------------------- > > But when I try to create a role using aws cli, I get an error message: > --------------------- > # aws --endpoint=http://10.79.35.245:7480 iam create-role > --role-name=role1 --assume-role-policy-document file://policy_document.json > > An error occurred (Unknown) when calling the CreateRole operation: Unknown > --------------------- > > Running the above command with debug, on one of the lines comes the > following message: > --------------------- > 2021-09-02 10:07:56,138 - MainThread - botocore.parsers - DEBUG - Response > body: > b'<?xml version="1.0" > encoding="UTF-8"?><Error><Code>MalformedPolicyDocument</Code><RequestId>tx000000000000000001-006130ccac-b3b82-default</RequestId><HostId>b3b82-default > -default</HostId></Error>' > --------------------- > > My policy_document.json is like this: > --------------------- > { > "Version":"2012-10-17", > "Statement":[ > { > "Effect":"Allow", > "Main":{ > "AWS":[ > "arn:aws:iam:::user/someuser" > ] > }, > "Action":[ > "sts:AssumeRole" > ] > } > ] > } > --------------------- > > If I run the the radosgw-admin command with the same JSON (but with > escaped characters), it works: > --------------------- > # radosgw-admin role create --role-name=role1 > --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/someuser\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\} > > { > "RoleId": "007ed38e-a072-43a4-94f3-2958e5a19408", > "RoleName": "role1", > "Path": "/", > "Arn": "arn:aws:iam:::role/role1", > "CreateDate": "2021-09-02T13:19:39.721Z", > "MaxSessionDuration": 3600, > "AssumeRolePolicyDocument": > "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/someuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}" > > } > --------------------- > > > Does anyone have any idea where I might be going wrong? I did a test on > aws, with the same JSON (adding my arn account) and it worked. > > Thanks, Marcelo! > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx