The value of the 'aud' field in the token must be set in the Condition element, checking it against 'app_id'. There is no need to add a custom field 'app_id'. The Ceph STS APIs have been tested using standard AWS tools (boto3 and aws), so I'd suggest you to use them. Thanks, Pritha On Wed, Mar 16, 2022 at 8:45 PM <simone.beccato@xxxxxxxxxxxxxx> wrote: > Hi Pritha, > > > > I need to add a custom field to the access-token named “app_id” ? > > > > Looking at the RGW logs files I see the curl request coming correctly, the > point is that i receive a “listBucket” response instead a set of temporary > credentials. > > > > Best > > Simone > > *Da:* Pritha Srivastava <prsrivas@xxxxxxxxxx> > *Inviato:* mercoledì 16 marzo 2022 13:15 > *A:* simone.beccato@xxxxxxxxxxxxxx > *Cc:* ceph-users <ceph-users@xxxxxxx> > *Oggetto:* Re: Keycloack with Radosgw > > > > Please correct the trust policy with the condition element that I pointed > out before. Also, Can you please try using AWS tools - boto3 or AWS STS > apis to make the AssumeRoleWithWebIdentity call. You can check the RGW log > files to see whether the call reaches RGW with the curl command. > > > > Thanks, > > Pritha > > On Wednesday, March 16, 2022, <simone.beccato@xxxxxxxxxxxxxx> wrote: > > Hi Pritha, > > in step 4) I created a role with the Trust Policy: > > radosgw-admin role create --role-name=S3Access2 > --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"Federated\":\"arn:aws:iam:::oidc-provider/ > mykeycloak.org.com/auth/realms/myrealm\ > <http://mykeycloak.org.com/auth/realms/myrealm/> > "\},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":\{\"StringEquals\":\{\" > mykeycloak.org.com/auth/realms/myrealm:clientId\ > <http://mykeycloak.org.com/auth/realms/myrealm:clientId/> > ":\"radosgw\"\}\}\}\]\} > > Is this not correct? > > To call the AssumeRoleWithWebIdentity I used curl: > > curl -k -v -X GET " > http://X.X.X.X:423/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn= > arn:aws:iam:::role/S3Access &WebIdentityToken=XXXXXXXXXXX" > > > Best > Simone > > -----Messaggio originale----- > Da: Pritha Srivastava <prsrivas@xxxxxxxxxx> > Inviato: mercoledì 16 marzo 2022 11:11 > A: simone.beccato@xxxxxxxxxxxxxx > Cc: ceph-users <ceph-users@xxxxxxx> > Oggetto: Re: Keycloack with Radosgw > > Hi Simone, > > There is a step that I see missing here - have you created a role? For > creating a role, you need to attach 'roles' caps to the user that you > created. > Also, what tool have you used to make the AssumeRoleWithWebIdentity call? > An example using boto3 is outlined in the documentation here: > https://docs.ceph.com/en/pacific/radosgw/STS/#sts-configuration. Also in > Pacific the trust policy supports only app_id in the Condition element: > > From the documentation: > > 'The app_id in the condition above must match the ‘aud’ claim of the > incoming token.' > > Thanks, > Pritha > > On Wed, Mar 16, 2022 at 3:05 PM <simone.beccato@xxxxxxxxxxxxxx> wrote: > > > Hi all, > > > > > > > > I'm trying to setup Keycloak as OpenID Connect Provider for Rados > > Gateway without success (I'm using Ceph version pacific). > > > > > > > > Following the documentation I made these steps: > > > > > > > > 1) Added to /etc/ceph/ceph.conf the following options: > > > > > > > > [client] > > > > rgw sts key = 1234abcd5678efgh > > > > rgw s3 auth use sts = true > > > > > > > > > > > > 2) Created a user on radosgw with caps: > > > > > > > > radosgw-admin --uid MYUSER --display-name "MyUser" --access_key MYUSER > > --secret test123 user create > > > > radosgw-admin caps add --uid=" MYUSER" --caps="oidc-provider=*" > > > > > > > > > > > > 3) Added an OpenID Connect Provider from aws s3 libs: > > > > > > > > aws --profile=ceph-lab --endpoint=http://X.X.X.X:423 iam > > create-open-id-connect-provider --url > > https://mykeycloak.org.com/auth/realms/myrealm --thumbprint-list > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > > > > > > > > > > > 4) Added this trust policy named "S3Access" > > > > > > > > { > > > > "Version": "2012-10-17", > > > > "Statement": [ > > > > { > > > > "Effect": "Allow", > > > > "Principal": {"Federated": > > "arn:aws:iam:::oidc-provider/mykeycloak.org.com/auth/realms/myrealm"}, > > > > "Action": "sts:AssumeRoleWithWebIdentity", > > > > "Condition": { > > > > "StringEquals": > > {"mykeycloak.org.com/auth/realms/myrealm:clientId":"radosgw"} > > > > } > > > > } > > > > ] > > > > } > > > > > > > > > > > > 5) attached this role policy to the previous one: > > > > > > > > { > > > > "Version": "2012-10-17", > > > > "Statement": { > > > > "Effect": "Allow", > > > > "Action": "s3:*", > > > > "Resource": "*" > > > > } > > > > } > > > > > > > > > > > > > > > > 6) I retrieve a web token from Keacloack and pass it in this request > > to > > Radosgw: > > > > > > > > GET /?Action=AssumeRoleWithWebIdentity > > > > &DurationSeconds=3600 > > > > &RoleArn=arn:aws:iam:::role/S3Access > > > > &WebIdentityToken=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > > > > > > > > > > > 7) I got this reply, but I expected to have a new set of temporary > > credentials: > > > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <ListAllMyBucketsResult > > > > xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> > > > > <Owner> > > > > > > <ID>$oidc$ccbfcd2c-2f00-49fc-8524-df3a8d81e03d</ID> > > > > <DisplayName></DisplayName> > > > > </Owner> > > > > <Buckets></Buckets> > > > > </ListAllMyBucketsResult> > > > > > > > > > > > > > > > > Sure I'm missing something but reading Ceph docs, AWS docs and a lot > > of articles I did not found any solution, could someone help me > > finding the issue? > > > > > > > > King regards > > > > Simone > > > > > > > > _______________________________________________ > > ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an > > email to ceph-users-leave@xxxxxxx > > > > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an > email to ceph-users-leave@xxxxxxx > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx