Hi,
since the last squid update (19.2.3) we have the problem, that the STS
integration does not work anymore. (relevant tracker:
https://tracker.ceph.com/issues/69924)
Now there is a user with the $oidc$ prefix with the same suffix as the
original user name. For example:
>"$oidc$e0a0eed4f6a64c9cad70b69625dccba8",
>"e0a0eed4f6a64c9cad70b69625dccba8",
and both user are treated as different users in radosgw.
We user STS with AssumeRoleWithWebIdentity, to make bucket management
possible via a website, and didn't want to fetch all the access credentials
just to pick one and authenticate with that.
Now when we create a bucket in the panel, we don't have access via the
normal EC2 credentials anymore.
I still think I am holding it wrong.
This is the role and policy we've set:
> # radosgw-admin role get --role-name=S3Access
> {
> "RoleId": "49d0d470-dc7a-4ffe-8db3-4f40cb82ebfd",
> "RoleName": "S3Access",
> "Path": "/",
> "Arn": "arn:aws:iam:::role/S3Access",
> "CreateDate": "2025-08-12T08:31:11.761Z",
> "MaxSessionDuration": 3600,
> "AssumeRolePolicyDocument":
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/vv.xx.yy.zz:8443/realms/snc-customera\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"vv.xx.yy.zz:8443/realms/snc-customera:app_id\":\"account\"}}}]}",
> "PermissionPolicies": [
> {
> "PolicyName": "Policy1",
> "PolicyValue":
"{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"
> }
> ]
> }
Best wishes
Boris
--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im
groüen Saal.
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
