Bug #45671
closedaws iam get-role-policy doesn't work
0%
Description
using 15.2.1 on Cent 8
With rgw and aws cli, I can successfully create a role using creds of a user who has caps: type=roles, perms=*
aws iam create-role --role-name testrole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/*"]},"Action":["sts:AssumeRole"]}]}'
The role shows up with radosgw-admin
I then add a policy with:
aws iam put-role-policy --role-name testrole --policy-name p1 --policy-doc '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:*"],"Resource":"arn:aws:s3:::*"}]}
Again the policy document just added shows up with radosgw-admin
However, I cannot retrieve the policy document with get-role-policy. When running:
aws iam get-role-policy --role-name testrole --policy-name p1
the PolicyDocument field of the response object is missing, although "RoleName": "testrole" and "PolicyName": "p1" are there and printed out.
Using aws --debug with get-role-policy I see:
b'<GetRolePolicyResponse><ResponseMetadata><RequestId>tx00000000000000000000a-005eca0b89-281ab-cbdzone</RequestId></ResponseMetadata><GetRolePolicyResult><PolicyName>p1</PolicyName><RoleName>testrole</RoleName><Permission_policy>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:*"],"Resource":"arn:aws:s3:::*"}]}</Permission_policy></GetRolePolicyResult></GetRolePolicyResponse>'
Doing the exact same steps on AWS proper, I get the following result with --debug on get-role-policy:
b'<GetRolePolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">\n <GetRolePolicyResult>\n <PolicyDocument>%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22s3%3A%2A%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3A%2A%22%7D%5D%7D</PolicyDocument>\n <PolicyName>p1</PolicyName>\n <RoleName>testrole</RoleName>\n </GetRolePolicyResult>\n <ResponseMetadata>\n <RequestId>5d185811-ac34-4a61-af76-0854a07705fe</RequestId>\n </ResponseMetadata>\n</GetRolePolicyResponse>\n'
This of course returns the policy document in the response object on AWS
The result is that I can create or modify the policy document on ceph, but cannot retrieve it to verify what I should be changing!
What the ceph vs AWS responses seem to show is perhaps there is an encoding problem, xml ns not being explicit in the ceph response, or perhaps the aws cli doesn't understand <Permission_Policy> in the ceph response.
I understand that the aws api isn't fully implemented, but if you allow a user to create a role and set a policy on the role, you should allow retrieval as well.
Updated by Casey Bodley almost 4 years ago
- Assignee set to Pritha Srivastava
- Tags set to sts
Updated by Pritha Srivastava almost 4 years ago
Updated by Casey Bodley almost 4 years ago
- Status changed from New to Fix Under Review
- Backport set to nautilus octopus
- Pull request ID set to 35409
Updated by J. Eric Ivancich almost 4 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Nathan Cutler almost 4 years ago
- Copied to Backport #46475: octopus: aws iam get-role-policy doesn't work added
Updated by Nathan Cutler almost 4 years ago
- Copied to Backport #46476: nautilus: aws iam get-role-policy doesn't work added
Updated by Nathan Cutler over 3 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".