[ceph-users] How to use STS Lite correctly?

Pritha Srivastava prsrivas at redhat.com
Mon Mar 4 06:57:27 PST 2019


There are two steps that have to be performed before calling AssumeRole:

1. A role named S3Access needs to be created to which it is mandatory to
attach an assume role policy document. For example,

radosgw-admin role create --role-name=S3Access
--path=/application_abc/component_xyz/
--assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}


2. A permission policy needs to be attached to the role, to allow all s3
operations using the temporary creds returned by the Assume role call. For
example,

radosgw-admin role-policy put --role-name=S3Access
--policy-name=Policy1
--policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}


The documentation for above is at:
http://docs.ceph.com/docs/master/radosgw/role/

Thanks,
Pritha

On Mon, Mar 4, 2019 at 4:48 PM myxingkong <admin at xingkong.io> wrote:

>
> I want to use the STS service to generate temporary credentials for use by
> third-party clients.
>
> I configured STS lite based on the documentation.
> http://docs.ceph.com/docs/master/radosgw/STSLite/
>
> This is my configuration file:
>
> [global]
> fsid = 42a7cae1-84d1-423e-93f4-04b0736c14aa
> mon_initial_members = admin, node1, node2, node3
> mon_host = 192.168.199.81,192.168.199.82,192.168.199.83,192.168.199.84
> auth_cluster_required = cephx
> auth_service_required = cephx
> auth_client_required = cephx
>
> osd pool default size = 2
>
> [client.rgw.admin]
> rgw sts key = "1234567890"
> rgw s3 auth use sts = true
>
> When I execute the getSessionToken method, return a 403 error:
>
> <Error>
> <Code>AccessDenied</Code>
> <RequestId>tx00000000000000000000d-005c7d07ed-3a3c-default</RequestId>
> <HostId>3a3c-default-default</HostId>
> </Error>
>
> try:
>     host = 'http://192.168.199.81:7480'
>     access_key = '2324YFZ7QDEOSRL18QHR'
>     secret_key = 'rL9FabxCOw5LDbrHtmykiGSCjzpKLmEs9WPiNjVJ'
>
>     client = boto3.client('sts',
>                           aws_access_key_id = access_key,
>                           aws_secret_access_key = secret_key,
>                           endpoint_url = host)
>     response = client.assume_role(
>
> RoleArn='arn:aws:iam:::role/application_abc/component_xyz/S3Access',
>         RoleSessionName='Bob',
>         DurationSeconds=3600
>     )
>     print response
> except:
>     print traceback.format_exc()
>
> Who can tell me if my configuration or code is wrong?
>
> My version of ceph is: ceph version 14.1.0
> (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)
> _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20190304/d9c9925c/attachment.html>


More information about the ceph-users mailing list