Re: How do I troubleshoot radosgw errors STS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I will look into the bug that you submitted.

Thanks,
Pritha

On Thu, Mar 2, 2023 at 3:46 AM <mat@xxxxxxxxxx> wrote:

> Hello,
>
> I just submitted: https://tracker.ceph.com/issues/58890
>
> Here are more details about the configuration. Note that I've tried a URL
> with and without a trailing `/` slash like what appears in the ISS.
>
> STS OpenIDConnectProvider
>
> <pre>
> {
>   "ClientIDList": [
>     "radosgw"
>   ],
>   "CreateDate": "2023-03-01T04:05:45.930000+00:00",
>   "ThumbprintList": [
>     "16A1FBBEE0DC3F78C2013326B2EBA2B9F6D59575"
>   ],
>   "Url": "https://login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c
> "
> }
> </pre>
>
> Role document with the ARN used in the AssumeRoleWithIdentity call. The
> token returns a "sub" claim with the value of "mathew.utter", e.g. me.
>
> <pre>
> {
>         "RoleId": "53186307-cc98-4904-b867-aa6c2fb10291",
>         "RoleName": "AssumeRoleWithWebIdentityForOIDC",
>         "Path": "/",
>         "Arn": "arn:aws:iam:::role/AssumeRoleWithWebIdentityForOIDC",
>         "CreateDate": "2023-03-01T04:05:46.417Z",
>         "MaxSessionDuration": 3600,
>         "AssumeRolePolicyDocument":
> "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c:sub\":\"mathew.utter\"}}}]}"
>     }
> </pre>
>
> Policy attached to the role:
>
> <pre>
> {
>     "Permission policy":
> "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}"
> }
> </pre>
>
>
> There would be a role and policy created for each OIDC user, which is why
> I'm user the "sub" in the Role.
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux