Hi Pritha,
I have added the bucket to the resource, but I am still running into the same Forbidden response.
Thanks,
Austin
-----Original Message-----
From: Pritha Srivastava <prsrivas@xxxxxxxxxx>
Sent: June 14, 2023 4:59 AM
To: Austin Axworthy <aaxworthy@xxxxxxxxxxxx>
Cc: ceph-users@xxxxxxx
Subject: Re: RGW STS Token Forbidden error since upgrading to Quincy 17.2.6
Hi Austin,
Can you try by adding the bucket arn to the Resource section of the policy, like the following:
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket2/*"
]
Thanks,
Pritha
On Tue, Jun 13, 2023 at 6:02 PM Austin Axworthy <aaxworthy@xxxxxxxxxxxx>
wrote:
> Hi,
>
>
>
> We are using STS tokens to grant temporary access for users. I was
> running ceph version 15.2.16 and this method worked as expected until
> the cluster was upgraded to 17.2.6.
>
>
>
> Using boto3 I am able to assume the correct role, but when trying to
> use the temporary credentials a forbidden error is reported. This was
> working before the upgrade. I have also tested on a 15.2.17 cluster
> and experience the same issue.
>
>
>
> I have pasted the created role, and boto3 code I am using as well as
> the error I am running into. Any insight on this issue would be
> greatly appreciated.
>
>
>
> Error: botocore.exceptions.ClientError: An error occurred (403) when
> calling the HeadObject operation: Forbidden
>
> Role:
>
> {
>
> "RoleId": "499eba48-8431-48f7-9aca-76000b9c01cc",
>
> "RoleName": "DefaultNoS3Access",
>
> "Path": "/",
>
> "Arn": "arn:aws:iam:::role/DefaultNoS3Access",
>
> "CreateDate": "2023-05-11T12:04:44.367Z",
>
> "MaxSessionDuration": 3600,
>
> "AssumeRolePolicyDocument":
>
> "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Pr
> incipa
>
> l\":{\"AWS\":[\"arn:aws:iam:::user/user\"]},\"Action\":[\"sts:AssumeRo
> le\"]}
> ]}"
>
> },
>
>
>
>
>
> Boto3 Code:
>
> response = sts_client.assume_role(
>
> RoleArn=role_arn,
>
> RoleSessionName="test",
>
> Policy=json.dumps(
>
> {
>
> "Version": "2012-10-17",
>
> "Statement": [
>
> {
>
> "Effect": "Allow",
>
> "Action": [
>
> "s3:GetObject",
>
> "s3:PutObjectAcl",
>
> "s3:PutObject",
>
> "s3:ListBucket"
>
> ],
>
> "Resource": [
>
> "arn:aws:s3:::bucket1/*",
>
> "arn:aws:s3:::bucket2/*"
>
> ]
>
> }
>
> ]
>
> }, separators=(',', ':')
>
> )
>
> )
>
>
>
> credentials = response['Credentials']
>
>
>
> s3_client = boto3.client(
>
> 's3',
>
> aws_access_key_id=credentials['AccessKeyId'],
>
> aws_secret_access_key=credentials['SecretAccessKey'],
>
> aws_session_token=credentials['SessionToken'],
>
> endpoint_url="http://IP:8080";,
>
> region_name=""
>
> )
>
>
>
> bucket_name = 'bucket1'
>
> file_key = 'test.txt'
>
> local_file_path = '/'
>
>
>
> s3_client.download_file(bucket_name, file_key, local_file_path)
>
>
>
>
>
>
>
>
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
