Hi Austin,
Do you have rgw debug logs that can help debug this?
Can you provide more information, as to which user is trying to assume the
role - which tenants the user and role belong to?
Can you please open a tracker issue with all this information?
Thanks,
Pritha
On Wed, Jun 14, 2023 at 6:14 PM Austin Axworthy <aaxworthy@xxxxxxxxxxxx>
wrote:
> Hi Pritha,
>
> I have added the bucket to the resource, but I am still running into the
> same Forbidden response.
>
> Thanks,
> Austin
>
>
> -----Original Message-----
> From: Pritha Srivastava <prsrivas@xxxxxxxxxx>
> Sent: June 14, 2023 4:59 AM
> To: Austin Axworthy <aaxworthy@xxxxxxxxxxxx>
> Cc: ceph-users@xxxxxxx
> Subject: Re: RGW STS Token Forbidden error since upgrading to
> Quincy 17.2.6
>
> Hi Austin,
>
> Can you try by adding the bucket arn to the Resource section of the
> policy, like the following:
>
> "Resource": [
> "arn:aws:s3:::bucket1",
> "arn:aws:s3:::bucket1/*",
> "arn:aws:s3:::bucket2/*"
>
> ]
>
> Thanks,
> Pritha
>
> On Tue, Jun 13, 2023 at 6:02 PM Austin Axworthy <aaxworthy@xxxxxxxxxxxx>
> wrote:
>
> > Hi,
> >
> >
> >
> > We are using STS tokens to grant temporary access for users. I was
> > running ceph version 15.2.16 and this method worked as expected until
> > the cluster was upgraded to 17.2.6.
> >
> >
> >
> > Using boto3 I am able to assume the correct role, but when trying to
> > use the temporary credentials a forbidden error is reported. This was
> > working before the upgrade. I have also tested on a 15.2.17 cluster
> > and experience the same issue.
> >
> >
> >
> > I have pasted the created role, and boto3 code I am using as well as
> > the error I am running into. Any insight on this issue would be
> > greatly appreciated.
> >
> >
> >
> > Error: botocore.exceptions.ClientError: An error occurred (403) when
> > calling the HeadObject operation: Forbidden
> >
> > Role:
> >
> > {
> >
> > "RoleId": "499eba48-8431-48f7-9aca-76000b9c01cc",
> >
> > "RoleName": "DefaultNoS3Access",
> >
> > "Path": "/",
> >
> > "Arn": "arn:aws:iam:::role/DefaultNoS3Access",
> >
> > "CreateDate": "2023-05-11T12:04:44.367Z",
> >
> > "MaxSessionDuration": 3600,
> >
> > "AssumeRolePolicyDocument":
> >
> > "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Pr
> > incipa
> >
> > l\":{\"AWS\":[\"arn:aws:iam:::user/user\"]},\"Action\":[\"sts:AssumeRo
> > le\"]}
> > ]}"
> >
> > },
> >
> >
> >
> >
> >
> > Boto3 Code:
> >
> > response = sts_client.assume_role(
> >
> > RoleArn=role_arn,
> >
> > RoleSessionName="test",
> >
> > Policy=json.dumps(
> >
> > {
> >
> > "Version": "2012-10-17",
> >
> > "Statement": [
> >
> > {
> >
> > "Effect": "Allow",
> >
> > "Action": [
> >
> > "s3:GetObject",
> >
> > "s3:PutObjectAcl",
> >
> > "s3:PutObject",
> >
> > "s3:ListBucket"
> >
> > ],
> >
> > "Resource": [
> >
> > "arn:aws:s3:::bucket1/*",
> >
> > "arn:aws:s3:::bucket2/*"
> >
> > ]
> >
> > }
> >
> > ]
> >
> > }, separators=(',', ':')
> >
> > )
> >
> > )
> >
> >
> >
> > credentials = response['Credentials']
> >
> >
> >
> > s3_client = boto3.client(
> >
> > 's3',
> >
> > aws_access_key_id=credentials['AccessKeyId'],
> >
> > aws_secret_access_key=credentials['SecretAccessKey'],
> >
> > aws_session_token=credentials['SessionToken'],
> >
> > endpoint_url="http://IP:8080";,
> >
> > region_name=""
> >
> > )
> >
> >
> >
> > bucket_name = 'bucket1'
> >
> > file_key = 'test.txt'
> >
> > local_file_path = '/'
> >
> >
> >
> > s3_client.download_file(bucket_name, file_key, local_file_path)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> > email to ceph-users-leave@xxxxxxx
> >
> >
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
