It would be the second one:
arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
Thanks,
Pritha
On Thu, May 13, 2021 at 3:54 PM Daniel Iwan <iwan.daniel(a)gmail.com> wrote:
Hi Pritha
This is probably the only combination I haven't tried.
I was convinced it would have to be $oidc$
It worked brilliantly with the arn you suggested, thank you for that.
So does it mean that for a non-empty tenant we would have tenant name twice
like
arn:aws:iam::mytenant:user/mytenant$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
or would it be a single tenant name?
arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
If it's the second one, it relies on the fact that IDs are unique, which in
turns depends on the sub field in the token.
Regards
Daniel
On Wed, 12 May 2021 at 13:31, Pritha Srivastava <prsrivas(a)redhat.com>
wrote:
Hi,
Can you try with the following ARN:
arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
The format of the user id is: <tenant>$<user-namespace>$<sub> , and in
$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b, the '$' before oidc is a
separator for a tenant which is empty here, and ARN for a user is of the
format: arn:aws:iam::<tenant>:user/<user-id>, and hence the ARN here will
be arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
Thanks,
Pritha
On Wed, May 12, 2021 at 4:02 PM Daniel Iwan <iwan.daniel(a)gmail.com>
wrote:
> Hi all
>
> I'm working on the following scenario
> User is authenticated with OIDC and tries to access a bucket which it
does
> not own.
> How to specify user ID etc. to give access to such a user?
>
> By trial and error I found out that principal can be specified as
> "Principal":
{"Federated":["arn:aws:sts:::assumed-role/MySession"]},
>
> but I want to use shadow user ID or something similar as the principal
>
> Docs
>
https://docs.ceph.com/en/latest/radosgw/STS/
> states:
> 'A shadow user is created corresponding to every federated user. The
user
> id is derived from the ‘sub’ field of the
incoming web token. The user
is
> created in a separate namespace - ‘oidc’ such
that the user id doesn’t
> clash with any other user ids in rgw. The format of the user id is -
> <tenant>$<user-namespace>$<sub> where user-namespace is ‘oidc’ for
users
> that authenticate with oidc providers.'
>
> I see a shadow user in Web UI as e.g.
7f71c7c5-c24f-418e-87ac-aa8fe271289b
but I
cannot work out the syntax of a user id, I was expecting something
like
"arn:aws:iam:::user/$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b"
but when trying to list content of a bucket I get AccessDenied.
If bucket policy has Principal "*" the my authenticated user can access
the
bucket
Is this possible?
Regards
Daniel
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io