Bug #45671
closedaws iam get-role-policy doesn't work
0%
Description
using 15.2.1 on Cent 8
With rgw and aws cli, I can successfully create a role using creds of a user who has caps: type=roles, perms=*
aws iam create-role --role-name testrole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/*"]},"Action":["sts:AssumeRole"]}]}'
The role shows up with radosgw-admin
I then add a policy with:
aws iam put-role-policy --role-name testrole --policy-name p1 --policy-doc '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:*"],"Resource":"arn:aws:s3:::*"}]}
Again the policy document just added shows up with radosgw-admin
However, I cannot retrieve the policy document with get-role-policy. When running:
aws iam get-role-policy --role-name testrole --policy-name p1
the PolicyDocument field of the response object is missing, although "RoleName": "testrole" and "PolicyName": "p1" are there and printed out.
Using aws --debug with get-role-policy I see:
b'<GetRolePolicyResponse><ResponseMetadata><RequestId>tx00000000000000000000a-005eca0b89-281ab-cbdzone</RequestId></ResponseMetadata><GetRolePolicyResult><PolicyName>p1</PolicyName><RoleName>testrole</RoleName><Permission_policy>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:*"],"Resource":"arn:aws:s3:::*"}]}</Permission_policy></GetRolePolicyResult></GetRolePolicyResponse>'
Doing the exact same steps on AWS proper, I get the following result with --debug on get-role-policy:
b'<GetRolePolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">\n <GetRolePolicyResult>\n <PolicyDocument>%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22s3%3A%2A%22%5D%2C%22Resource%22%3A%22arn%3Aaws%3As3%3A%3A%3A%2A%22%7D%5D%7D</PolicyDocument>\n <PolicyName>p1</PolicyName>\n <RoleName>testrole</RoleName>\n </GetRolePolicyResult>\n <ResponseMetadata>\n <RequestId>5d185811-ac34-4a61-af76-0854a07705fe</RequestId>\n </ResponseMetadata>\n</GetRolePolicyResponse>\n'
This of course returns the policy document in the response object on AWS
The result is that I can create or modify the policy document on ceph, but cannot retrieve it to verify what I should be changing!
What the ceph vs AWS responses seem to show is perhaps there is an encoding problem, xml ns not being explicit in the ceph response, or perhaps the aws cli doesn't understand <Permission_Policy> in the ceph response.
I understand that the aws api isn't fully implemented, but if you allow a user to create a role and set a policy on the role, you should allow retrieval as well.