Hi Simone, There is a step that I see missing here - have you created a role? For creating a role, you need to attach 'roles' caps to the user that you created. Also, what tool have you used to make the AssumeRoleWithWebIdentity call? An example using boto3 is outlined in the documentation here: https://docs.ceph.com/en/pacific/radosgw/STS/#sts-configuration. Also in Pacific the trust policy supports only app_id in the Condition element: