Ceph » rgw

calling create_role() in boto3 with the following policy:

assume_role_policy = json.dumps({                                              
    'Version': '2012-10-17',
    'Statement': [{
        'Effect': 'Allow',
        'Action': 'sts:AssumeRole',                                            
        'Principal': {'AWS': 'arn:aws:iam::1234:user/Nobody'}
        }]
    })
iam_root.create_role(RoleName='s3-tests-R1', Path='/', AssumeRolePolicyDocument=assume_role_policy)

fails with:

An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: At character offset 11, Invalid value.

debug logs of the POST data show it in url-encoded form:

2024-01-26T09:42:29.956-0500 7f1fea1f76c0 10 req 429955753714953901 0.000000000s Content of POST: Action=CreateRole&Version=2010-05-08&RoleName=s3-tests-R1&Path=%2F&AssumeRolePolicyDocument=%7B%22Version%22%3A+%222012-10-17%22%2C+%22Statement%22%3A+%5B%7B%22Effect%22%3A+%22Allow%22%2C+%22Action%22%3A+%22sts%3AAssumeRole%22%2C+%22Principal%22%3A+%7B%22AWS%22%3A+%22arn%3Aaws%3Aiam%3A%3A1234%3Auser%2FNobody%22%7D%7D%5D%7D

but policy parsing sees plus signs instead of spaces:

2024-01-26T09:42:29.956-0500 7f1fea1f76c0  5 req 429955753714953901 0.000000000s iam:create_role failed to parse policy '{"Version":+"2012-10-17",+"Statement":+[{"Effect":+"Allow",+"Action":+"sts:AssumeRole",+"Principal":+{"AWS":+"arn:aws:iam::1234:user/Nobody"}}]}' with: At character offset 11, Invalid value.

all of the existing CreateRole test cases in s3-tests are sending policies without any spaces, presumably to work around this bug

for PutUserPolicy, RGWPutUserPolicy::get_params() calls url_decode() again with in_query=true to fix the spaces:

policy = url_decode(s->info.args.get("PolicyDocument"), true);