Project

General

Profile

Bug #44527

radosgw sts assumerole error

Added by Chris Durham 4 months ago. Updated 3 months ago.

Status:
Duplicate
Priority:
Normal
Target version:
% Done:

0%

Source:
Tags:
sts
Backport:
nautilus
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

using radosgw 15.1.0 from prebuilt el8 (centos) octpus rpms at http://download.ceph.com/rpm-octopus/el8/x86_64/ceph-radosgw-15.1.0-0.el8.x86_64.rpm

Normal s3 access works fine for a given user. But when using sts to assume a role, I get 'InvalidArgument" in the aws response. I am using aws-cli/1.18.16 Python/3.6.8 Botocore/1.15.16, on cent8.1

I have a role created with an assume-role-policy-doc that includes my own user as someone who can assume the role. There is also an access policy set for the role. My standard creds work fine for s3 operations, and are set in my awscli config as well as in my boto3 code in my test below

For the cli:

aws --debug sts --asuume-role --role-arn 'arn:aws:iam:::role/rolename' --role-session='sessname' --region=''

gives <Error><Code>InvalidArgument</Code>.....</Error> in the aws response.

The exact same error occurs with boto3 and:

assume_role_obj = sts_client.assume_role(RoleArn='arn:aws:iam:::role/rolename', RoleSessionName='SessName')

I have in ceph.conf

rgw sts key = abcdefghijklmnop
rgw s3 auth use sts = true

If I replace the RoleArn with a bogus one, I get 'NoSuchEntity' in the error response instead of 'InvalidArgument'

Setting rgw debug = 20, the sts errors in the rgw log file have:

sts:assume_role executing
ERROR: one of role arn or role session name is empty
sts:assume_role completing
sts:assume_role op status=-22

The -22 is consistent with the InvalidArgument, but I did pass in both RoleArn and RoleSessionName!!!! (The debug output shows them in the POST going out....)

Any ideas? Thanks!


Related issues

Duplicates rgw - Bug #44090: failed to set DurationSeconds in sts request Pending Backport

History

#1 Updated by Casey Bodley 4 months ago

  • Status changed from New to Triaged
  • Assignee set to Pritha Srivastava
  • Tags set to sts
  • Backport set to nautilus

#3 Updated by Chris Durham 4 months ago

Pritha Srivastava wrote:

This PR is missing: https://github.com/ceph/ceph/pull/31661

Thanks. The el8 rpms at http://download.ceph.com/rpm-octopus/el8/x86_64/ are dated 2020-01-30, which is consistent with the fix being committed later than that date, and as such the rpm doesn't have the patch

Any expectation as to the next rpm build for octopus/el8? Thanks

#4 Updated by Pritha Srivastava 4 months ago

@Casey: The PR is present in upstream Octopus branch.

#5 Updated by Casey Bodley 3 months ago

  • Duplicates Bug #44090: failed to set DurationSeconds in sts request added

#6 Updated by Casey Bodley 3 months ago

  • Status changed from Triaged to Duplicate

Thanks Pritha!

Also available in: Atom PDF