Bug #47871
openradosgw does not properly handle a roleArn when executing assume-role operation
0%
Description
Using 15.2.4 on centos8.1
1. I have a role defined with a path, such that the roleArn is arn:aws:iam:::/role/p1/p2/role1, with a user defined in the AssumeRleolicyDocument
2. using awscli as the user in question, with the valid s3 credentials for the user available, I can assume the role with:
$ aws sts assume-role --role-arn arn:aws:iam:::/role/p1/p2/role1 --role-session-name mysess
This works, and I get back a json document that has the temporary credentials. That's good.
However, when I give an invalid arn, (but with '/role1' at the end of the Arn) I still get back a json document with temporary credentials, and they work! i.e:
$ aws sts assume-role --role-arn arn:aws:iam:::/role/p5/role1 --role-session-name mysess
$ aws sts assume-role --role-arn arn:aws:iam:::/role/p3/p4/role1 --role-session-name mysess
$ aws sts assume-role --role-arn arn:aws:iam:::/role/role1 --role-session-name mysess
These all work, but they should fail. It appears that radosgw is not handling or parsing the Arn properly. The command should fail for all but the proper Arn. On AWS itself, I get AccessDenied when not using the proper Arn. Not sure how this might affect multiple roles with multiple paths and/or similar role names.
We eyeballed a typo for a role Arn (which was actually working, but shouldn't) in something we are using, which led me to file this bugreport...