Please correct the trust policy with the condition element that I pointed
out before. Also, Can you please try using AWS tools - boto3 or AWS STS
apis to make the AssumeRoleWithWebIdentity call. You can check the RGW log
files to see whether the call reaches RGW with the curl command.
Thanks,
Pritha
On Wednesday, March 16, 2022, <simone.beccato@xxxxxxxxxxxxxx> wrote:
> Hi Pritha,
>
> in step 4) I created a role with the Trust Policy:
>
> radosgw-admin role create --role-name=S3Access2
> --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"
> Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"
> Federated\":\"arn:aws:iam:::oidc-provider/ mykeycloak.org.com/auth/
> realms/myrealm\"\},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"
> Condition\":\{\"StringEquals\":\{\"mykeycloak.org.com/auth/
> realms/myrealm:clientId\":\"radosgw\"\}\}\}\]\}
>
> Is this not correct?
>
> To call the AssumeRoleWithWebIdentity I used curl:
>
> curl -k -v -X GET "http://X.X.X.X:423/?Action=AssumeRoleWithWebIdentity&;
> DurationSeconds=3600&RoleArn= arn:aws:iam:::role/S3Access
> &WebIdentityToken=XXXXXXXXXXX"
>
>
> Best
> Simone
>
> -----Messaggio originale-----
> Da: Pritha Srivastava <prsrivas@xxxxxxxxxx>
> Inviato: mercoledì 16 marzo 2022 11:11
> A: simone.beccato@xxxxxxxxxxxxxx
> Cc: ceph-users <ceph-users@xxxxxxx>
> Oggetto: Re: Keycloack with Radosgw
>
> Hi Simone,
>
> There is a step that I see missing here - have you created a role? For
> creating a role, you need to attach 'roles' caps to the user that you
> created.
> Also, what tool have you used to make the AssumeRoleWithWebIdentity call?
> An example using boto3 is outlined in the documentation here:
> https://docs.ceph.com/en/pacific/radosgw/STS/#sts-configuration. Also in
> Pacific the trust policy supports only app_id in the Condition element:
>
> From the documentation:
>
> 'The app_id in the condition above must match the ‘aud’ claim of the
> incoming token.'
>
> Thanks,
> Pritha
>
> On Wed, Mar 16, 2022 at 3:05 PM <simone.beccato@xxxxxxxxxxxxxx> wrote:
>
> > Hi all,
> >
> >
> >
> > I'm trying to setup Keycloak as OpenID Connect Provider for Rados
> > Gateway without success (I'm using Ceph version pacific).
> >
> >
> >
> > Following the documentation I made these steps:
> >
> >
> >
> > 1) Added to /etc/ceph/ceph.conf the following options:
> >
> >
> >
> > [client]
> >
> > rgw sts key = 1234abcd5678efgh
> >
> > rgw s3 auth use sts = true
> >
> >
> >
> >
> >
> > 2) Created a user on radosgw with caps:
> >
> >
> >
> > radosgw-admin --uid MYUSER --display-name "MyUser" --access_key MYUSER
> > --secret test123 user create
> >
> > radosgw-admin caps add --uid=" MYUSER" --caps="oidc-provider=*"
> >
> >
> >
> >
> >
> > 3) Added an OpenID Connect Provider from aws s3 libs:
> >
> >
> >
> > aws --profile=ceph-lab --endpoint=http://X.X.X.X:423 iam
> > create-open-id-connect-provider --url
> > https://mykeycloak.org.com/auth/realms/myrealm --thumbprint-list
> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >
> >
> >
> >
> >
> > 4) Added this trust policy named "S3Access"
> >
> >
> >
> > {
> >
> > "Version": "2012-10-17",
> >
> > "Statement": [
> >
> > {
> >
> > "Effect": "Allow",
> >
> > "Principal": {"Federated":
> > "arn:aws:iam:::oidc-provider/mykeycloak.org.com/auth/realms/myrealm"},
> >
> > "Action": "sts:AssumeRoleWithWebIdentity",
> >
> > "Condition": {
> >
> > "StringEquals":
> > {"mykeycloak.org.com/auth/realms/myrealm:clientId":"radosgw"}
> >
> > }
> >
> > }
> >
> > ]
> >
> > }
> >
> >
> >
> >
> >
> > 5) attached this role policy to the previous one:
> >
> >
> >
> > {
> >
> > "Version": "2012-10-17",
> >
> > "Statement": {
> >
> > "Effect": "Allow",
> >
> > "Action": "s3:*",
> >
> > "Resource": "*"
> >
> > }
> >
> > }
> >
> >
> >
> >
> >
> >
> >
> > 6) I retrieve a web token from Keacloack and pass it in this request
> > to
> > Radosgw:
> >
> >
> >
> > GET /?Action=AssumeRoleWithWebIdentity
> >
> > &DurationSeconds=3600
> >
> > &RoleArn=arn:aws:iam:::role/S3Access
> >
> > &WebIdentityToken=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >
> >
> >
> >
> >
> > 7) I got this reply, but I expected to have a new set of temporary
> > credentials:
> >
> >
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <ListAllMyBucketsResult
> >
> > xmlns="http://s3.amazonaws.com/doc/2006-03-01/";>
> >
> > <Owner>
> >
> >
> > <ID>$oidc$ccbfcd2c-2f00-49fc-8524-df3a8d81e03d</ID>
> >
> > <DisplayName></DisplayName>
> >
> > </Owner>
> >
> > <Buckets></Buckets>
> >
> > </ListAllMyBucketsResult>
> >
> >
> >
> >
> >
> >
> >
> > Sure I'm missing something but reading Ceph docs, AWS docs and a lot
> > of articles I did not found any solution, could someone help me
> > finding the issue?
> >
> >
> >
> > King regards
> >
> > Simone
> >
> >
> >
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> > email to ceph-users-leave@xxxxxxx
> >
> >
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
