Re: RGW STS - MalformedPolicyDocument

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Marcelo,

Your trust policy has an error:

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"*Main*":{
"AWS":[
"arn:aws:iam:::user/someuser"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
}

In place of 'Main', use 'Principal' as you have done for the radosgw-admin
role create command.

Thanks,
Pritha

On Fri, Sep 3, 2021 at 9:30 PM Marcelo Mariano Miziara <
marcelo.miziara@xxxxxxxxxxxxx> wrote:

> Hello all!
>
> I'm having a hard time trying to get the STS to work. I want to give a
> user "someuser" the ability to assumerole. I don't know if I got it wrong
> how to do it, or if my json is spelled wrong.
>
> I've done tests on the latest versions of nautilus, octopus and pacific,
> and I always get the same message.
>
> In RGW I added the following settings:
> ---------------------
> rgw_s3_auth_use_sts = true
> rgw_sts_key = "abcdefghijklmnop"
> ---------------------
>
> Then I create a user "admin-api-user", giving the following caps:
> ---------------------
> # radosgw-admin caps add --uid admin-api-user --caps
> "users=*;buckets=*;metadata=*;usage=*;roles=*;user-policy=*"
> ---------------------
>
> But when I try to create a role using aws cli, I get an error message:
> ---------------------
> # aws --endpoint=http://10.79.35.245:7480 iam create-role
> --role-name=role1 --assume-role-policy-document file://policy_document.json
>
> An error occurred (Unknown) when calling the CreateRole operation: Unknown
> ---------------------
>
> Running the above command with debug, on one of the lines comes the
> following message:
> ---------------------
> 2021-09-02 10:07:56,138 - MainThread - botocore.parsers - DEBUG - Response
> body:
> b'<?xml version="1.0"
> encoding="UTF-8"?><Error><Code>MalformedPolicyDocument</Code><RequestId>tx000000000000000001-006130ccac-b3b82-default</RequestId><HostId>b3b82-default
> -default</HostId></Error>'
> ---------------------
>
> My policy_document.json is like this:
> ---------------------
> {
> "Version":"2012-10-17",
> "Statement":[
> {
> "Effect":"Allow",
> "Main":{
> "AWS":[
> "arn:aws:iam:::user/someuser"
> ]
> },
> "Action":[
> "sts:AssumeRole"
> ]
> }
> ]
> }
> ---------------------
>
> If I run the the radosgw-admin command with the same JSON (but with
> escaped characters), it works:
> ---------------------
> # radosgw-admin role create --role-name=role1
> --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/someuser\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
>
> {
> "RoleId": "007ed38e-a072-43a4-94f3-2958e5a19408",
> "RoleName": "role1",
> "Path": "/",
> "Arn": "arn:aws:iam:::role/role1",
> "CreateDate": "2021-09-02T13:19:39.721Z",
> "MaxSessionDuration": 3600,
> "AssumeRolePolicyDocument":
> "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/someuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
>
> }
> ---------------------
>
>
> Does anyone have any idea where I might be going wrong? I did a test on
> aws, with the same JSON (adding my arn account) and it worked.
>
> Thanks, Marcelo!
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux