Hi Pritha and thanks for your reply. We are using Ceph Octopus and we have switched to Keycloak from dexIdP.
Having said that we have followed the guide from https://docs.ceph.com/en/octopus/radosgw/STS/ but we are constantly having an issue with the AssumeRoleWithWebIdentity example. We are using 2 different accounts for role creation and policy creation and those 2 parts of the example script are working fine but when we move over to the assume_role_with_web_identity part we have forbidden error from Ceph. We have used cephadm to install Ceph which is at: # ceph --version ceph version 15.2.5 (2c93eff00150f0cc5f106a559557a58d3d7b6f1f) octopus (stable) We used the following command to add the role capabilities for both users: radosgw-admin caps add --uid="TESTER" --caps="roles=*" radosgw-admin caps add --uid="TESTER1" --caps="roles=*" We have set the capabilities for the 2 users mentioned above as shown here: buckets (*) metadata (*) roles (*) usage (*) user-policy (*) users (*) zone (*) --- Can you please confirm that the key values have actually spaces in them or are they missing an underscore? [client.radosgw.gateway] rgw sts key = {sts key for encrypting the session token} rgw s3 auth use sts = true --- We are also getting "NameError: name 'client' is not defined" error from AssumeRoleWithWebIdentity example in this part shown below. Shouldn't it be "sts_client.assume_role_with_web_identity" from "client.assume_role_with_web_identity" as it is being defined as sts_client in the code above it? sts_client = boto3.client('sts', aws_access_key_id=<access_key of TESTER1>, aws_secret_access_key=<secret_key of TESTER1>, endpoint_url=<STS URL>, region_name='', ) response = client.assume_role_with_web_identity( RoleArn=role_response['Role']['Arn'], RoleSessionName='Bob', DurationSeconds=3600, WebIdentityToken=<Web Token> ) Can you or anyone give us some pointers to this issue please? _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
