Actions
Bug #47327
closedSTS AssumeRole API get 400 response
% Done:
0%
Source:
Q/A
Tags:
sts
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
ceph-ansible
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(credentials)).withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endpointUrl, "us-east-1")).build();
JSONObject jsonObject = new JSONObject();
jsonObject.put("Version", "2012-10-17");
ArrayList<JSONObject> list = new ArrayList<>();
JSONObject jsonObject1 = new JSONObject();
jsonObject1.put("Effect", "Allow");
jsonObject1.put("Action", "s3:*");
ArrayList<String> list1 = new ArrayList<>();
list1.add("arn:aws:s3:::*");
jsonObject1.put("Resource", list1);
list.add(jsonObject1);
jsonObject.put("Statement", list);
String policy = jsonObject.toJSONString();
System.out.println(policy);
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn("arn:aws:iam:::role/S3Access3").withRoleSessionName("Viewers").withPolicy(policy);
AssumeRoleResult assumeRoleResult = sts_client.assumeRole(assumeRoleRequest);
System.out.println(assumeRoleResult.getCredentials().getAccessKeyId() + "---" + assumeRoleResult.getCredentials().getSecretAccessKey() + "---" + assumeRoleResult.getCredentials().getSessionToken());
got reseponse:
HTTP/1.1 400 Bad Request
Content-Length: 188
x-amz-request-id: tx000000000000000000017-005f54dca0-3736-default
Accept-Ranges: bytes
Content-Type: application/xml
Date: Sun, 06 Sep 2020 12:57:04 GMT
Connection: Keep-Alive
<?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidArgument</Code><RequestId>tx000000000000000000017-005f54dca0-3736-default</RequestId><HostId>3736-default-default</HostId></Error>
check the radosgw log got:
2020-09-06T21:16:41.136+0800 7f9b5aa13700 0 ERROR: Invalid secret key
2020-09-06T21:16:41.136+0800 7f9b5aa13700 1 ====== req done req=0x7f9b5aa0b070 op status=-22 http_status=400 latency=0.013999833s ======
2020-09-06T21:16:41.137+0800 7f9b5aa13700 1 civetweb: 0x55783d1ac000: 10.4.6.13 - - [06/Sep/2020:21:16:41 +0800] "POST / HTTP/1.1" 400 394 - Boto3/1.14.47 Python/2.7.5 Linux/3.10.0-1127.13.1.el7.x86_64 Botocore/1.17.47
Updated by Casey Bodley over 3 years ago
- Assignee set to Pritha Srivastava
- Tags set to sts
Updated by Pritha Srivastava over 3 years ago
The invalid secret key error happens when rgw sts key is not set or is incorrect. The two configurables are needed to enable and user STS in RGW:
rgw sts key = {sts key for encrypting the session token}
rgw s3 auth use sts = true
rgw sts key should be 16 in length like abcdefghijklmnop
Updated by lee jia over 3 years ago
Pritha Srivastava wrote:
The invalid secret key error happens when rgw sts key is not set or is incorrect. The two configurables are needed to enable and user STS in RGW:
rgw sts key = {sts key for encrypting the session token}
rgw s3 auth use sts = truergw sts key should be 16 in length like abcdefghijklmnop
Thank you so much!
Updated by Abhishek Lekshmanan over 3 years ago
- Status changed from New to In Progress
Updated by Casey Bodley over 3 years ago
- Status changed from In Progress to Resolved
Actions