Hi Pritha, I need to add a custom field to the access-token named “app_id” ? Looking at the RGW logs files I see the curl request coming correctly, the point is that i receive a “listBucket” response instead a set of temporary credentials. Best Simone Da: Pritha Srivastava <prsrivas@xxxxxxxxxx> Inviato: mercoledì 16 marzo 2022 13:15 A: simone.beccato@xxxxxxxxxxxxxx Cc: ceph-users <ceph-users@xxxxxxx> Oggetto: Re: Keycloack with Radosgw Please correct the trust policy with the condition element that I pointed out before. Also, Can you please try using AWS tools - boto3 or AWS STS apis to make the AssumeRoleWithWebIdentity call. You can check the RGW log files to see whether the call reaches RGW with the curl command. Thanks, Pritha On Wednesday, March 16, 2022, <simone.beccato@xxxxxxxxxxxxxx <mailto:simone.beccato@xxxxxxxxxxxxxx> > wrote: Hi Pritha, in step 4) I created a role with the Trust Policy: radosgw-admin role create --role-name=S3Access2 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"Federated\":\"arn:aws:iam:::oidc-provider/ mykeycloak.org.com/auth/realms/myrealm\ <http://mykeycloak.org.com/auth/realms/myrealm/> "\},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":\{\"StringEquals\":\{\"mykeycloak.org.com/auth/realms/myrealm:clientId\ <http://mykeycloak.org.com/auth/realms/myrealm:clientId/> ":\"radosgw\"\}\}\}\]\} Is this not correct? To call the AssumeRoleWithWebIdentity I used curl: curl -k -v -X GET "http://X.X.X.X:423/?Action=AssumeRoleWithWebIdentity <http://X.X.X.X:423/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=> &DurationSeconds=3600&RoleArn= arn:aws:iam:::role/S3Access &WebIdentityToken=XXXXXXXXXXX" Best Simone -----Messaggio originale----- Da: Pritha Srivastava <prsrivas@xxxxxxxxxx <mailto:prsrivas@xxxxxxxxxx> > Inviato: mercoledì 16 marzo 2022 11:11 A: simone.beccato@xxxxxxxxxxxxxx <mailto:simone.beccato@xxxxxxxxxxxxxx> Cc: ceph-users <ceph-users@xxxxxxx <mailto:ceph-users@xxxxxxx> > Oggetto: Re: Keycloack with Radosgw Hi Simone, There is a step that I see missing here - have you created a role? For creating a role, you need to attach 'roles' caps to the user that you created. Also, what tool have you used to make the AssumeRoleWithWebIdentity call? An example using boto3 is outlined in the documentation here: https://docs.ceph.com/en/pacific/radosgw/STS/#sts-configuration. Also in Pacific the trust policy supports only app_id in the Condition element:
 |