Re: RGW STS - MalformedPolicyDocument

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Pritha, thanks for the answer. 

Even changing to Principal I still get the MalformedPolicyDocument. I tested with aws cli versions 1 and 2, both returning the error message. I put JSON in several validators to see if there were any errors and it seems to be okay. I don't know if I'm missing something in the aws cli configuration, my credentials are: 
[default] 
aws_access_key_id = < admin-api-user key > 
aws_secret_access_key = < admin-api-user secret > 

And my config: 
[default] 
region = US 
output = json 

And I checked that no rule with the same same exists. 

With the example python from the page https://docs.ceph.com/en/latest/radosgw/STS/ it worked (it has an extra "]" that needs to be removed in the policy_document variable). 

Thanks again, Marcelo. 


De: "Pritha Srivastava" <prsrivas@xxxxxxxxxx> 
Para: "marcelo.miziara serpro" <marcelo.miziara@xxxxxxxxxxxxx> 
Cc: "ceph-users" <ceph-users@xxxxxxx> 
Enviadas: Domingo, 5 de setembro de 2021 7:07:14 
Assunto: Re:  RGW STS - MalformedPolicyDocument 

Hi Marcelo, 

Your trust policy has an error: 

{ 
"Version":"2012-10-17", 
"Statement":[ 
{ 
"Effect":"Allow", 
" Main ":{ 
"AWS":[ 
"arn:aws:iam:::user/someuser" 
] 
}, 
"Action":[ 
"sts:AssumeRole" 
] 
} 
] 
} 

In place of 'Main', use 'Principal' as you have done for the radosgw-admin role create command. 

Thanks, 
Pritha 

On Fri, Sep 3, 2021 at 9:30 PM Marcelo Mariano Miziara < [ https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOm1hcmNlbG8ubWl6aWFyYUBzZXJwcm8uZ292LmJy | marcelo.miziara@xxxxxxxxxxxxx ] > wrote: 


Hello all! 

I'm having a hard time trying to get the STS to work. I want to give a user "someuser" the ability to assumerole. I don't know if I got it wrong how to do it, or if my json is spelled wrong. 

I've done tests on the latest versions of nautilus, octopus and pacific, and I always get the same message. 

In RGW I added the following settings: 
--------------------- 
rgw_s3_auth_use_sts = true 
rgw_sts_key = "abcdefghijklmnop" 
--------------------- 

Then I create a user "admin-api-user", giving the following caps: 
--------------------- 
# radosgw-admin caps add --uid admin-api-user --caps "users=*;buckets=*;metadata=*;usage=*;roles=*;user-policy=*" 
--------------------- 

But when I try to create a role using aws cli, I get an error message: 
--------------------- 
# aws --endpoint= [ https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=aHR0cDovLzEwLjc5LjM1LjI0NTo3NDgw | http://10.79.35.245:7480 ] iam create-role --role-name=role1 --assume-role-policy-document file://policy_document.json 

An error occurred (Unknown) when calling the CreateRole operation: Unknown 
--------------------- 

Running the above command with debug, on one of the lines comes the following message: 
--------------------- 
2021-09-02 10:07:56,138 - MainThread - botocore.parsers - DEBUG - Response body: 
b'<?xml version="1.0" encoding="UTF-8"?><Error><Code>MalformedPolicyDocument</Code><RequestId>tx000000000000000001-006130ccac-b3b82-default</RequestId><HostId>b3b82-default -default</HostId></Error>' 
--------------------- 

My policy_document.json is like this: 
--------------------- 
{ 
"Version":"2012-10-17", 
"Statement":[ 
{ 
"Effect":"Allow", 
"Main":{ 
"AWS":[ 
"arn:aws:iam:::user/someuser" 
] 
}, 
"Action":[ 
"sts:AssumeRole" 
] 
} 
] 
} 
--------------------- 

If I run the the radosgw-admin command with the same JSON (but with escaped characters), it works: 
--------------------- 
# radosgw-admin role create --role-name=role1 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/someuser\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\} 
{ 
"RoleId": "007ed38e-a072-43a4-94f3-2958e5a19408", 
"RoleName": "role1", 
"Path": "/", 
"Arn": "arn:aws:iam:::role/role1", 
"CreateDate": "2021-09-02T13:19:39.721Z", 
"MaxSessionDuration": 3600, 
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/someuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}" 
} 
--------------------- 


Does anyone have any idea where I might be going wrong? I did a test on aws, with the same JSON (adding my arn account) and it worked. 

Thanks, Marcelo! 

_______________________________________________ 
ceph-users mailing list -- [ https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOmNlcGgtdXNlcnNAY2VwaC5pbw== | ceph-users@xxxxxxx ] 
To unsubscribe send an email to [ https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOmNlcGgtdXNlcnMtbGVhdmVAY2VwaC5pbw== | ceph-users-leave@xxxxxxx ] 





_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux