Hi all
I'm working on the following scenario
User is authenticated with OIDC and tries to access a bucket which it does
not own.
How to specify user ID etc. to give access to such a user?
By trial and error I found out that principal can be specified as
"Principal":
{"Federated":["arn:aws:sts:::assumed-role/MySession"]},
but I want to use shadow user ID or something similar as the principal
Docs
https://docs.ceph.com/en/latest/radosgw/STS/
states:
'A shadow user is created corresponding to every federated user. The user
id is derived from the ‘sub’ field of the incoming web token. The user is
created in a separate namespace - ‘oidc’ such that the user id doesn’t
clash with any other user ids in rgw. The format of the user id is -
<tenant>$<user-namespace>$<sub> where user-namespace is ‘oidc’ for
users
that authenticate with oidc providers.'
I see a shadow user in Web UI as e.g. 7f71c7c5-c24f-418e-87ac-aa8fe271289b
but I cannot work out the syntax of a user id, I was expecting something
like
"arn:aws:iam:::user/$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b"
but when trying to list content of a bucket I get AccessDenied.
If bucket policy has Principal "*" the my authenticated user can access the
bucket
Is this possible?
Regards
Daniel