[ceph-users] Using ID of a federated user in a bucket policy in RGW

Hi all I'm working on the following scenario User is authenticated with OIDC and tries to access a bucket which it does not own. How to specify user ID etc. to give access to such a user? By trial and error I found out that principal can be specified as "Principal": {"Federated":["arn:aws:sts:::assumed-role/MySession"]}, but I want to use shadow user ID or something similar as the principal Docs https://docs.ceph.com/en/latest/radosgw/STS/ states: 'A shadow user is created corresponding to every federated user. The user id is derived from the ‘sub’ field of the incoming web token. The user is created in a separate namespace - ‘oidc’ such that the user id doesn’t clash with any other user ids in rgw. The format of the user id is - <tenant>$<user-namespace>$<sub> where user-namespace is ‘oidc’ for users that authenticate with oidc providers.' I see a shadow user in Web UI as e.g. 7f71c7c5-c24f-418e-87ac-aa8fe271289b but I cannot work out the syntax of a user id, I was expecting something like "arn:aws:iam:::user/$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b" but when trying to list content of a bucket I get AccessDenied. If bucket policy has Principal "*" the my authenticated user can access the bucket Is this possible? Regards Daniel