Hi Pritha,
in step 4) I created a role with the Trust Policy:
radosgw-admin role create --role-name=S3Access2 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"Federated\":\"arn:aws:iam:::oidc-provider/ mykeycloak.org.com/auth/realms/myrealm\"\},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":\{\"StringEquals\":\{\"mykeycloak.org.com/auth/realms/myrealm:clientId\":\"radosgw\"\}\}\}\]\}
Is this not correct?
To call the AssumeRoleWithWebIdentity I used curl:
curl -k -v -X GET "http://X.X.X.X:423/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn= arn:aws:iam:::role/S3Access &WebIdentityToken=XXXXXXXXXXX"
Best
Simone
-----Messaggio originale-----
Da: Pritha Srivastava <prsrivas@xxxxxxxxxx>
Inviato: mercoledì 16 marzo 2022 11:11
A: simone.beccato@xxxxxxxxxxxxxx
Cc: ceph-users <ceph-users@xxxxxxx>
Oggetto: Re: Keycloack with Radosgw
Hi Simone,
There is a step that I see missing here - have you created a role? For creating a role, you need to attach 'roles' caps to the user that you created.
Also, what tool have you used to make the AssumeRoleWithWebIdentity call?
An example using boto3 is outlined in the documentation here:
https://docs.ceph.com/en/pacific/radosgw/STS/#sts-configuration. Also in Pacific the trust policy supports only app_id in the Condition element:
