Running Nautilus 14.2.9 and trying to follow the STS example given here:
https://docs.ceph.com/docs/master/radosgw/STS/ to setup a policy
for AssumeRoleWithWebIdentity using KeyCloak (8.0.1) as the OIDC provider.
I am able to see in the rgw debug logs that the token being passed from the
client is passing the introspection check, but it always ends up failing
the final authorization to access the requested bucket resource and is
rejected with a 403 status "AccessDenied".
I configured my policy as described in the 2nd example on the STS page
above. I suspect the problem is with the "StringEquals" condition statement
in the AssumeRolePolicy document (I could be wrong though).
The example shows using the keycloak URI followed by ":app_id" matching
with the name of the keycloak client application ("customer-portal" in the
example). My keycloak setup does not have any such field in the
introspection result and I can't seem to figure out how to make this all
work.
I cranked up the logging to 20/20 and still did not see any hints as to
what part of the policy is causing the access to be denied.
Any suggestions?
-Wyllys Ingersoll