I will look into the bug that you submitted.
Thanks,
Pritha
On Thu, Mar 2, 2023 at 3:46 AM <mat(a)hazmat.dev> wrote:
Hello,
I just submitted:
https://tracker.ceph.com/issues/58890
Here are more details about the configuration. Note that I've tried a URL
with and without a trailing `/` slash like what appears in the ISS.
STS OpenIDConnectProvider
<pre>
{
"ClientIDList": [
"radosgw"
],
"CreateDate": "2023-03-01T04:05:45.930000+00:00",
"ThumbprintList": [
"16A1FBBEE0DC3F78C2013326B2EBA2B9F6D59575"
],
"Url":
"https://login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c
"
}
</pre>
Role document with the ARN used in the AssumeRoleWithIdentity call. The
token returns a "sub" claim with the value of "mathew.utter", e.g.
me.
<pre>
{
"RoleId": "53186307-cc98-4904-b867-aa6c2fb10291",
"RoleName": "AssumeRoleWithWebIdentityForOIDC",
"Path": "/",
"Arn":
"arn:aws:iam:::role/AssumeRoleWithWebIdentityForOIDC",
"CreateDate": "2023-03-01T04:05:46.417Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument":
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c:sub\":\"mathew.utter\"}}}]}"
}
</pre>
Policy attached to the role:
<pre>
{
"Permission policy":
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*\"]}]}"
}
</pre>
There would be a role and policy created for each OIDC user, which is why
I'm user the "sub" in the Role.
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io