Project

General

Profile

Bug #47327

STS AssumeRole API get 400 response

Added by lee jia 13 days ago. Updated 7 days ago.

Status:
New
Priority:
Normal
Target version:
% Done:

0%

Source:
Q/A
Tags:
sts
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
ceph-ansible
Pull request ID:
Crash signature:

Description

AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(credentials)).withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endpointUrl, "us-east-1")).build();

        JSONObject jsonObject = new JSONObject();
        jsonObject.put("Version", "2012-10-17");
        ArrayList<JSONObject> list = new ArrayList<>();
        JSONObject jsonObject1 = new JSONObject();
        jsonObject1.put("Effect", "Allow");
        jsonObject1.put("Action", "s3:*");
        ArrayList<String> list1 = new ArrayList<>();
        list1.add("arn:aws:s3:::*");
        jsonObject1.put("Resource", list1);
        list.add(jsonObject1);
        jsonObject.put("Statement", list);
        String policy = jsonObject.toJSONString();
        System.out.println(policy);

        AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn("arn:aws:iam:::role/S3Access3").withRoleSessionName("Viewers").withPolicy(policy);
        AssumeRoleResult assumeRoleResult = sts_client.assumeRole(assumeRoleRequest);
        System.out.println(assumeRoleResult.getCredentials().getAccessKeyId() + "---" + assumeRoleResult.getCredentials().getSecretAccessKey() + "---" + assumeRoleResult.getCredentials().getSessionToken());

got reseponse:
HTTP/1.1 400 Bad Request
Content-Length: 188
x-amz-request-id: tx000000000000000000017-005f54dca0-3736-default
Accept-Ranges: bytes
Content-Type: application/xml
Date: Sun, 06 Sep 2020 12:57:04 GMT
Connection: Keep-Alive

<?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidArgument</Code><RequestId>tx000000000000000000017-005f54dca0-3736-default</RequestId><HostId>3736-default-default</HostId></Error>

check the radosgw log got:

2020-09-06T21:16:41.136+0800 7f9b5aa13700  0 ERROR: Invalid secret key
2020-09-06T21:16:41.136+0800 7f9b5aa13700  1 ====== req done req=0x7f9b5aa0b070 op status=-22 http_status=400 latency=0.013999833s ======
2020-09-06T21:16:41.137+0800 7f9b5aa13700  1 civetweb: 0x55783d1ac000: 10.4.6.13 - - [06/Sep/2020:21:16:41 +0800] "POST / HTTP/1.1" 400 394 - Boto3/1.14.47 Python/2.7.5 Linux/3.10.0-1127.13.1.el7.x86_64 Botocore/1.17.47

History

#1 Updated by Casey Bodley 9 days ago

  • Assignee set to Pritha Srivastava
  • Tags set to sts

#2 Updated by Pritha Srivastava 8 days ago

The invalid secret key error happens when rgw sts key is not set or is incorrect. The two configurables are needed to enable and user STS in RGW:
rgw sts key = {sts key for encrypting the session token}
rgw s3 auth use sts = true

rgw sts key should be 16 in length like abcdefghijklmnop

#3 Updated by lee jia 7 days ago

Pritha Srivastava wrote:

The invalid secret key error happens when rgw sts key is not set or is incorrect. The two configurables are needed to enable and user STS in RGW:
rgw sts key = {sts key for encrypting the session token}
rgw s3 auth use sts = true

rgw sts key should be 16 in length like abcdefghijklmnop

Thank you so much!

Also available in: Atom PDF