Hi
I'm currently having a bit of an issue with setting up end user authentication and I
would be thankful for any tips I could get.
The general scenario is like that; end users are authorised thorough webapp and mobile app
thorough keycloak. User has to be able to upload and download data using web interface and
mobile app. In order to do that I need to get AssumeRoleWithWebIdentity working.
I followed the steps outlined in
https://docs.ceph.com/en/latest/radosgw/STS/. Following
that guide I was able to get AssumeRole example to work, but not
AssumeRoleWithWebIdentity.
This is the behaviour I'm getting (logged in aws-cli as TESTER):
Username TESTER
Full name TestUser
Suspended No
System No
Maximum buckets 1000
Capabilities
oidc-provider (*)
roles (*)
$ aws --endpoint=http://10.10.xx.xx iam list-roles
{
"Roles": [
{
"Path": "/",
"RoleName": "S3Access",
"RoleId": "d1b84ec1-cceb-4c32-a605-f208b30123e2",
"Arn": "arn:aws:iam:::role/S3Access",
"CreateDate": "2021-03-24T13:08:20.522Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": [
"arn:aws:iam:::oidc-provider/xxxxx.xxxxnt.com/auth/realms/xxxxnt"
]
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
],
"Condition": {
"StringEquals": {
"xxxxx.xxxxnt.com/auth/realms/xxxxnt:app_id":
"xxxxnt_xxxx_backend"
}
}
}
]
},
"MaxSessionDuration": 3600
}
]
}
$ aws --endpoint=http://10.10.xx.xx iam list-open-id-connect-providers
{
"OpenIDConnectProviderList": [
{
"Arn":
"arn:aws:iam:::oidc-provider/xxxxx.xxxxnt.com/auth/realms/xxxxnt"
}
]
}
$ aws --endpoint=http://10.10.xx.xx iam get-open-id-connect-provider
--open-id-connect-provider-arn
"arn:aws:iam:::oidc-provider/xxxxx.xxxxnt.com/auth/realms/xxxxnt"
{
"Url": "https://xxxxx.xxxxnt.com/auth/realms/xxxxnt",
"ClientIDList": [
"test_ceph"
],
"ThumbprintList": [
"02DC870BD9E72360C090Fxxxxxxxxxxxxxxxxxxx"
],
"CreateDate": "2021-03-24T12:26:38.173Z"
}
$ curl -X POST
https://xxxxx.xxxxnt.com/auth/realms/xxxxnt/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded" -d
"username=admin" -d "password=omitted" -d
"grant_type=password" -d "client_id=test_ceph" -d
"client_secret=d01eafe2-xxxx-xxxx-xxxx-xxxxxx7b7dad"
{"access_token":"eyJhbGc.........tTRy1bA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbG......RU","token_type":"Bearer","not-before-policy":0,"session_state":"3a57b32a-b17c-4b29-bd68-8ce06b6bd2a8","scope":"email
account ..... xxxxnt_xxxx_backend profile"}
$ aws --debug --endpoint=http://10.10.xx.xx sts assume-role-with-web-identity --role-arn
"arn:aws:iam:::role/S3Access" --role-session-name "test"
--web-identity-token "eyJhbGc.........tTRy1bA"
.....
2021-03-25 10:17:45,309 - MainThread - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0"
encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000032-00605c5538-2cf3a-pl</RequestId><HostId>2cf3a-pl-default</HostId></Error>'|
.....
An error occurred (Unknown) when calling the AssumeRoleWithWebIdentity operation: Unknown
JWT token returned by keycloak contains fields
"iss":
"https://xxxxx.xxxxnt.com/auth/realms/flexgent"<https://xxxxx.xxxxnt.com/auth/realms/flexgent>,
"aud": "xxxxnt_xxxx_backend",
"azp": "test_ceph",
Thumbprint was generated using example from ceph documentation (curl from jwks_uri).
I'm not really sure what might be wrong, I'll be thankful for any hints -
including debugging hints, because so far I'm unable to get useful logs on that.
[
https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://ww…
Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND
KRS: 0000674406, NIP: 9581679801, REGON: 367090912
www.softgent.com
Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego
KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.