Hi,
We are using STS tokens to grant temporary access for users. I was running
ceph version 15.2.16 and this method worked as expected until the cluster
was upgraded to 17.2.6.
Using boto3 I am able to assume the correct role, but when trying to use the
temporary credentials a forbidden error is reported. This was working before
the upgrade. I have also tested on a 15.2.17 cluster and experience the same
issue.
I have pasted the created role, and boto3 code I am using as well as the
error I am running into. Any insight on this issue would be greatly
appreciated.
Error: botocore.exceptions.ClientError: An error occurred (403) when calling
the HeadObject operation: Forbidden
Role:
{
"RoleId": "499eba48-8431-48f7-9aca-76000b9c01cc",
"RoleName": "DefaultNoS3Access",
"Path": "/",
"Arn": "arn:aws:iam:::role/DefaultNoS3Access",
"CreateDate": "2023-05-11T12:04:44.367Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument":
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principa
l\":{\"AWS\":[\"arn:aws:iam:::user/user\"]},\"Action\":[\"sts:AssumeRole\"]}
]}"
},
Boto3 Code:
response = sts_client.assume_role(
RoleArn=role_arn,
RoleSessionName="test",
Policy=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket2/*"
]
}
]
}, separators=(',', ':')
)
)
credentials = response['Credentials']
s3_client = boto3.client(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
endpoint_url="http://IP:8080";,
region_name=""
)
bucket_name = 'bucket1'
file_key = 'test.txt'
local_file_path = '/'
s3_client.download_file(bucket_name, file_key, local_file_path)
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
