Hi,
What version of ceph are you using? Can you share the trust policy that is
attached to the role being assumed?
Thanks,
Pritha
On Wed, Mar 1, 2023 at 9:07 PM <mat(a)hazmat.dev> wrote:
I've setup RadosGW with STS ontop of my ceph
cluster. It works great and
fine but I'm also trying to setup authentication with an OpenIDConnect
provider. I'm have a hard time troubleshooting issues because the radosgw
log file doesn't have much information in it. For example when I try to use
the `sts:AssumeRoleWithWebIdentity` API it fails with `{'Code':
'AccessDenied', ...}` and all I see is the beat log showing an HTTP 403.
Is there a way to enable more verbose logging so I can see what is failing
and why I'm getting certain errors with STS, S3, or IAM apis?
My ceph.conf looks like this for each node (mildly redacted):
```
[client.radosgw.pve4]
host = pve4
keyring = /etc/pve/priv/ceph.client.radosgw.keyring
log file = /var/log/ceph/client.radosgw.$host.log
rgw_dns_name = s3.lab
rgw_frontends = beast endpoint=0.0.0.0:7480 ssl_endpoint=0.0.0.0:443
ssl_certificate=/etc/pve/priv/ceph/s3.lab.crt
ssl_private_key=/etc/pve/priv/ceph/s3.lab.key
rgw_sts_key = 1111111111111111
rgw_s3_auth_use_sts = true
rgw_enable_apis = s3, s3website, admin, sts, iam
```
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io