How to use STS Lite correctly?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, I have a Ceph cluster v16.2.10
To use STS lite, my configures are like the following:

ceph.conf
...
[client.rgw.ss-rgw-01]
host = ss-rgw-01
rgw_frontends = beast port=8080
rgw_zone=backup-hapu
admin_socket = /var/run/ceph/ceph-client.rgw.ss-rgw-01
rgw_sts_key = qekd3Rd5zXr0adQx
rgw_s3_auth_use_sts = true

$ radosgw-admin role list                                                                                                                                        
    {
        "RoleId": "778865a0-bc7b-49d4-aed5-a952ac9d5593",
        "RoleName": "backup-sts",
        "Path": "/",
        "Arn": "arn:aws:iam:::role/backup-sts",
        "CreateDate": "2022-01-04T10:17:32.373Z",
        "MaxSessionDuration": 3600,
        "AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/backup-service\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
    },

$ radosgw-admin role policy get --role-name backup-sts  --policy-name AllowAccessAllBucket                                                                       
{
    "Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":\"arn:aws:s3:::*/*\"}]}"                                       
}

Then I use the credential of backup-service user to assume role:

sts_client = boto3.client('sts',
    aws_access_key_id=access_key,
    aws_secret_access_key=secret_key,
    endpoint_url=endpoint_url,
    region_name='backup')

response = sts_client.assume_role(
    RoleArn='arn:aws:iam:::role/backup-sts',
    RoleSessionName='Alice2',
    DurationSeconds=3600)

s3client = boto3.client('s3',
    aws_access_key_id = response['Credentials']['AccessKeyId'],
    aws_secret_access_key = response['Credentials']['SecretAccessKey'],
    aws_session_token = response['Credentials']['SessionToken'],
    endpoint_url=endpoint_url,
    region_name='backup')

response = s3client.list_buckets()

And the result is AccessDenied, but I can't figure out what I was missing
Traceback (most recent call last):
  File "fff.py", line 52, in <module>
    response = s3client.list_buckets()
  File "/home/huynnp/.local/lib/python3.8/site-packages/botocore/client.py", line 535, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/huynnp/.local/lib/python3.8/site-packages/botocore/client.py", line 980, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListBuckets operation: Unknown

Does my configuration or code is wrong?
Thanks in advance
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux