Hi Boris, Is it possible for you to elaborate on what problem you are facing? like which credentials you used to create the bucket? and check rgw logs and see what the error is, when you try to access the bucket?
Thanks, Pritha On Fri, Dec 5, 2025 at 5:19 PM Boris <[email protected]> wrote: > Hi, > since the last squid update (19.2.3) we have the problem, that the STS > integration does not work anymore. (relevant tracker: > https://tracker.ceph.com/issues/69924) > > Now there is a user with the $oidc$ prefix with the same suffix as the > original user name. For example: > > >"$oidc$e0a0eed4f6a64c9cad70b69625dccba8", > >"e0a0eed4f6a64c9cad70b69625dccba8", > > and both user are treated as different users in radosgw. > > We user STS with AssumeRoleWithWebIdentity, to make bucket management > possible via a website, and didn't want to fetch all the access credentials > just to pick one and authenticate with that. > > Now when we create a bucket in the panel, we don't have access via the > normal EC2 credentials anymore. > > I still think I am holding it wrong. > This is the role and policy we've set: > > > # radosgw-admin role get --role-name=S3Access > > { > > "RoleId": "49d0d470-dc7a-4ffe-8db3-4f40cb82ebfd", > > "RoleName": "S3Access", > > "Path": "/", > > "Arn": "arn:aws:iam:::role/S3Access", > > "CreateDate": "2025-08-12T08:31:11.761Z", > > "MaxSessionDuration": 3600, > > "AssumeRolePolicyDocument": > "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/vv.xx.yy.zz:8443/realms/snc-customera\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"vv.xx.yy.zz:8443/realms/snc-customera:app_id\":\"account\"}}}]}", > > "PermissionPolicies": [ > > { > > "PolicyName": "Policy1", > > "PolicyValue": > "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" > > } > > ] > > } > > Best wishes > Boris > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > _______________________________________________ ceph-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
