Hello, I just submitted: https://tracker.ceph.com/issues/58890 Here are more details about the configuration. Note that I've tried a URL with and without a trailing `/` slash like what appears in the ISS. STS OpenIDConnectProvider <pre> { "ClientIDList": [ "radosgw" ], "CreateDate": "2023-03-01T04:05:45.930000+00:00", "ThumbprintList": [ "16A1FBBEE0DC3F78C2013326B2EBA2B9F6D59575" ], "Url": "https://login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c"; } </pre> Role document with the ARN used in the AssumeRoleWithIdentity call. The token returns a "sub" claim with the value of "mathew.utter", e.g. me. <pre> { "RoleId": "53186307-cc98-4904-b867-aa6c2fb10291", "RoleName": "AssumeRoleWithWebIdentityForOIDC", "Path": "/", "Arn": "arn:aws:iam:::role/AssumeRoleWithWebIdentityForOIDC", "CreateDate": "2023-03-01T04:05:46.417Z", "MaxSessionDuration": 3600, "AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c:sub\":\"mathew.utter\"}}}]}" } </pre> Policy attached to the role: <pre> { "Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}" } </pre> There would be a role and policy created for each OIDC user, which is why I'm user the "sub" in the Role. _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |