Ceph » rgw

I am using Centos8 with ceph octopus 15.2.14. I cannot 'sync' buckets using sts roles on ceph, but it works with AWS. Here are the steps to reproduce:

1. b1-user1 and b2-user1 are buckets owned and created by user1

3. user1-wtr is a role defined as follows:

a. user2 is a user in the AssumeRolePolicyDocument
    b. user1-wtr has a role policy called S3_ReadWrite_Policy which allows read/write to the resources in the policy
    c. both b1-user1 and b2-user1 are buckets listed in the resources of the policy S3_ReadWrite_Policy

4. user2 assumes the role user1-wtr, and writes multiple objects to bucket b1-user1. This works.

5. user2 runs the following awscli command, while still having the role credentials in its environment:

$ aws s3 sync s3://b1-user1 s3://b2-user1

This gives the following error:

copy failed: s3://b1-user1/file1 to s3://b2-user1/file1 An error (AccessDenied) when calling the CopyObject operation: Unknown
copy failed: s3://b1-user1/file2 to s3://b2-user1/file2 An error (AccessDenied) when calling the CopyObject operation: Unknown
...

Copying a file directly to bucket b2-user1 works fine.

Is ceph not passing on role credentials? Again, this works fine with real AWS.

The role definition is in role.json

The role policy is in policy.json

Note that the policy has "Principal" as per: https://tracker.ceph.com/issues/52302

The native AWS specifics of the role and policy do of course include the account number where appropriate, and does not include the 'Principal' key in the policy.

Note: I see https://tracker.ceph.com/issues/51442 which i think may be related. It has a pull request at: https://github.com/ceph/ceph/pull/37866 but this bug persists....

If I have missed something, either in the writeup or in something I should have done to reproduce, please advise, thanks.