Hi Simone, There is a step that I see missing here - have you created a role? For creating a role, you need to attach 'roles' caps to the user that you created. Also, what tool have you used to make the AssumeRoleWithWebIdentity call? An example using boto3 is outlined in the documentation here: https://docs.ceph.com/en/pacific/radosgw/STS/#sts-configuration. Also in Pacific the trust policy supports only app_id in the Condition element:
From the documentation: 'The app_id in the condition above must match the ‘aud’ claim of the incoming token.' Thanks, Pritha On Wed, Mar 16, 2022 at 3:05 PM <simone.becc...@staff.aruba.it> wrote: > Hi all, > > > > I'm trying to setup Keycloak as OpenID Connect Provider for Rados Gateway > without success (I'm using Ceph version pacific). > > > > Following the documentation I made these steps: > > > > 1) Added to /etc/ceph/ceph.conf the following options: > > > > [client] > > rgw sts key = 1234abcd5678efgh > > rgw s3 auth use sts = true > > > > > > 2) Created a user on radosgw with caps: > > > > radosgw-admin --uid MYUSER --display-name "MyUser" --access_key MYUSER > --secret test123 user create > > radosgw-admin caps add --uid=" MYUSER" --caps="oidc-provider=*" > > > > > > 3) Added an OpenID Connect Provider from aws s3 libs: > > > > aws --profile=ceph-lab --endpoint=http://X.X.X.X:423 iam > create-open-id-connect-provider --url > https://mykeycloak.org.com/auth/realms/myrealm --thumbprint-list > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > > > > > 4) Added this trust policy named "S3Access" > > > > { > > "Version": "2012-10-17", > > "Statement": [ > > { > > "Effect": "Allow", > > "Principal": {"Federated": > "arn:aws:iam:::oidc-provider/mykeycloak.org.com/auth/realms/myrealm"}, > > "Action": "sts:AssumeRoleWithWebIdentity", > > "Condition": { > > "StringEquals": > {"mykeycloak.org.com/auth/realms/myrealm:clientId":"radosgw"} > > } > > } > > ] > > } > > > > > > 5) attached this role policy to the previous one: > > > > { > > "Version": "2012-10-17", > > "Statement": { > > "Effect": "Allow", > > "Action": "s3:*", > > "Resource": "*" > > } > > } > > > > > > > > 6) I retrieve a web token from Keacloack and pass it in this request to > Radosgw: > > > > GET /?Action=AssumeRoleWithWebIdentity > > &DurationSeconds=3600 > > &RoleArn=arn:aws:iam:::role/S3Access > > &WebIdentityToken=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > > > > > 7) I got this reply, but I expected to have a new set of temporary > credentials: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <ListAllMyBucketsResult > > xmlns="http://s3.amazonaws.com/doc/2006-03-01/";> > > <Owner> > > > <ID>$oidc$ccbfcd2c-2f00-49fc-8524-df3a8d81e03d</ID> > > <DisplayName></DisplayName> > > </Owner> > > <Buckets></Buckets> > > </ListAllMyBucketsResult> > > > > > > > > Sure I'm missing something but reading Ceph docs, AWS docs and a lot of > articles I did not found any solution, could someone help me finding the > issue? > > > > King regards > > Simone > > > > _______________________________________________ > ceph-users mailing list -- ceph-users@ceph.io > To unsubscribe send an email to ceph-users-le...@ceph.io > > _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
