Project

General

Profile

Actions
Copy link

Bug #62541

open

docs: sts-AssumeRoleWithWebIdentity does not work for tenanted roles

Added by Guenter Sandner 9 months ago. Updated 7 months ago.

Status:
Triaged
Priority:
Normal
Assignee:
Pritha Srivastava
Target version:
-
% Done:

0%

Source:
Tags:
sts tenant
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v18.2.1
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

having two roles using the same assume-role-policy-document defined like this

# create non-tenanted role
radosgw-admin role create --role-name='devS3Access' --path=/ \
  --assume-role-policy-doc='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":["arn:aws:iam:::oidc-provider/192.168.100.69:9080/realms/aurora-dev"]},"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"192.168.100.69:9080/realms/aurora-dev:azp":"aurora-api-gateway-dev"}}}]}'

# create tenanted role
radosgw-admin role create --tenant tenant1 --role-name='tenant1S3Access' --path=/ \
  --assume-role-policy-doc='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":["arn:aws:iam:::oidc-provider/192.168.100.69:9080/realms/aurora-dev"]},"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"192.168.100.69:9080/realms/aurora-dev:azp":"aurora-api-gateway-dev"}}}]}'

calling "sts asume-role-with-web-identity" works for the non tenanted role "devS3Access", but not for the tenanted role "tenant1S3Access"

[root@rook-ceph-tools-855599bf84-wpwhr /]# aws --endpoint=http://$AWS_HOST:$PORT  sts assume-role-with-web-identity \
>   --role-arn 'arn:aws:iam::tenant1:role/S3Access' \
>   --role-session-name 'tenant1S3Access' \
>   --web-identity-token "${ID_TOKEN_DEV}" \
>   --duration-seconds 3600 >tenant1_secrets || echo FAILED

An error occurred (Unknown) when calling the AssumeRoleWithWebIdentity operation: Unknown

in the logs we can see this for the non-tenanted role:

debug 2023-08-22T11:28:14.541+0000 7f2b2359c700 10 req 18142818711300298359 0.000000000s sts:assume_role_web_identity cache get: name=my-store.rgw.meta+oidc+oidc_url.192.168.100.69:9080/realms/aurora-dev : hit (requested=0x1, cached=0x7)

but this for the tenanted role:
ebug 2023-08-22T11:23:44.114+0000 7f2b78646700 10 req 13090842789017334974 0.001000009s sts:assume_role_web_identity cache get: name=my-store.rgw.meta+oidc+tenant1oidc_url.192.168.100.69:9080/realms/aurora-dev : hit (negative entry)
debug 2023-08-22T11:23:44.114+0000 7f2b78646700  0 req 13090842789017334974 0.001000009s sts:assume_role_web_identity Couldn't get oidc provider info using input isshttp://192.168.100.69:9080/realms/aurora-dev

Actions
Copy link

Also available in: Atom PDF