Hi Pritha,
I will test APIs with suggested tools.
What is not clear to me is the aud and app_id.
In the token I have an “aud” field like this:
"aud": [
"radosgw",
"account"
],
I need to add into this field the value “app_id” and use this Condition?
"StringEquals": {"mykeycloak.org.com/auth/realms/myrealm:app_id":"aud"}
Could you please share a concrete example?
Best
Simone
Da: Pritha Srivastava <prsrivas@xxxxxxxxxx>
Inviato: mercoledì 16 marzo 2022 16:39
A: simone.beccato@xxxxxxxxxxxxxx
Cc: ceph-users <ceph-users@xxxxxxx>
Oggetto: Re: Keycloack with Radosgw
The value of the 'aud' field in the token must be set in the Condition element, checking it against 'app_id'. There is no need to add a custom field 'app_id'.
The Ceph STS APIs have been tested using standard AWS tools (boto3 and aws), so I'd suggest you to use them.
Thanks,
Pritha
On Wed, Mar 16, 2022 at 8:45 PM <simone.beccato@xxxxxxxxxxxxxx <mailto:simone.beccato@xxxxxxxxxxxxxx> > wrote:
Hi Pritha,
I need to add a custom field to the access-token named “app_id” ?
Looking at the RGW logs files I see the curl request coming correctly, the point is that i receive a “listBucket” response instead a set of temporary credentials.
Best
Simone
Da: Pritha Srivastava <prsrivas@xxxxxxxxxx <mailto:prsrivas@xxxxxxxxxx> >
Inviato: mercoledì 16 marzo 2022 13:15
A: simone.beccato@xxxxxxxxxxxxxx <mailto:simone.beccato@xxxxxxxxxxxxxx>
Cc: ceph-users <ceph-users@xxxxxxx <mailto:ceph-users@xxxxxxx> >
Oggetto: Re: Keycloack with Radosgw
Please correct the trust policy with the condition element that I pointed out before. Also, Can you please try using AWS tools - boto3 or AWS STS apis to make the AssumeRoleWithWebIdentity call. You can check the RGW log files to see whether the call reaches RGW with the curl command.
Thanks,
Pritha
On Wednesday, March 16, 2022, <simone.beccato@xxxxxxxxxxxxxx <mailto:simone.beccato@xxxxxxxxxxxxxx> > wrote:
Hi Pritha,
in step 4) I created a role with the Trust Policy:
radosgw-admin role create --role-name=S3Access2 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"Federated\":\"arn:aws:iam:::oidc-provider/ mykeycloak.org.com/auth/realms/myrealm\ <http://mykeycloak.org.com/auth/realms/myrealm/> "\},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":\{\"StringEquals\":\{\"mykeycloak.org.com/auth/realms/myrealm:clientId\ <http://mykeycloak.org.com/auth/realms/myrealm:clientId/> ":\"radosgw\"\}\}\}\]\}
Is this not correct?
To call the AssumeRoleWithWebIdentity I used curl:
curl -k -v -X GET "http://X.X.X.X:423/?Action=AssumeRoleWithWebIdentity <http://X.X.X.X:423/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=> &DurationSeconds=3600&RoleArn= arn:aws:iam:::role/S3Access &WebIdentityToken=XXXXXXXXXXX"
Best
Simone
-----Messaggio originale-----
Da: Pritha Srivastava <prsrivas@xxxxxxxxxx <mailto:prsrivas@xxxxxxxxxx> >
Inviato: mercoledì 16 marzo 2022 11:11
A: simone.beccato@xxxxxxxxxxxxxx <mailto:simone.beccato@xxxxxxxxxxxxxx>
Cc: ceph-users <ceph-users@xxxxxxx <mailto:ceph-users@xxxxxxx> >
Oggetto: Re: Keycloack with Radosgw
Hi Simone,
There is a step that I see missing here - have you created a role? For creating a role, you need to attach 'roles' caps to the user that you created.
Also, what tool have you used to make the AssumeRoleWithWebIdentity call?
An example using boto3 is outlined in the documentation here:
https://docs.ceph.com/en/pacific/radosgw/STS/#sts-configuration. Also in Pacific the trust policy supports only app_id in the Condition element:
