Bug #58547
open?Action=ListRoles endpoint json response incorrectly formatted
0%
Description
After creating 2 dummy roles and trying to retrieve the list of roles through the S3 api, the list of roles was inadequately formatted. The roles were created following the docs:
radosgw-admin role create --role-name=S3Access1 --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
radosgw-admin role create --role-name=S3Access2 --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
After calling the endpoint the response received was unexpectedly transformed:
RAW response:
b'[[{"member":{"RoleId":"904622a9-62d2-4e3a-b996-1db6d81991a2","RoleName":"S3Access2","Path":"/application_abc/component_xyz/","Arn":"arn:aws:iam:::role/application_abc/component_xyz/S3Access2","CreateDate":"2023-01-23T08:46:07.624Z","MaxSessionDuration":3600,"AssumeRolePolicyDocument":"{\\"Version\\":\\"2012-10-17\\",\\"Statement\\":[{\\"Effect\\":\\"Allow\\",\\"Principal\\":{\\"AWS\\":[\\"arn:aws:iam:::user/TESTER\\"]},\\"Action\\":[\\"sts:AssumeRole\\"]}]}"*},"member*":{"RoleId":"67691833-c6ab-4172-bff1-9deb176a486f","RoleName":"S3Access1","Path":"/application_abc/component_xyz/","Arn":"arn:aws:iam:::role/application_abc/component_xyz/S3Access1","CreateDate":"2023-01-23T08:45:49.729Z","MaxSessionDuration":3600,"AssumeRolePolicyDocument":"{\\"Version\\":\\"2012-10-17\\",\\"Statement\\":[{\\"Effect\\":\\"Allow\\",\\"Principal\\":{\\"AWS\\":[\\"arn:aws:iam:::user/TESTER\\"]},\\"Action\\":[\\"sts:AssumeRole\\"]}]}"}}],{"RequestId":"tx0000034b8fd6de729452c-0063ce4d91-1175-default"}]'
After calling json.loads on the response:
[[{'member': {'RoleId': '67691833-c6ab-4172-bff1-9deb176a486f', 'RoleName': 'S3Access1', 'Path': '/application_abc/component_xyz/', 'Arn': 'arn:aws:iam:::role/application_abc/component_xyz/S3Access1', 'CreateDate': '2023-01-23T08:45:49.729Z', 'MaxSessionDuration': 3600, 'AssumeRolePolicyDocument': '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}'}}], {'RequestId': 'tx0000034b8fd6de729452c-0063ce4d91-1175-default'}]
If you look closely at the RAW response you'll find the second "member" object doesn't have a preceding "{".
Updated by Casey Bodley about 1 year ago
- Has duplicate Bug #58546: ?Action=ListRoles endpoint json response incorrectly formatted added
Updated by Pritha Srivastava about 1 year ago
can you please be specific? which second member are you referring to here?
Updated by Casey Bodley about 1 year ago
- Status changed from New to Need More Info
Updated by Pere Díaz Bou about 1 year ago
If you look closely at the first list you can see the first instance of a role starts with {"member": {"RoleId .The problem starts when you look at the second role in the same list, instead of starting the same way it looks like:*,"member":{"RoleId":"67691833-c6ab-4172-bff1-9deb176a486f","RoleName":"S3Access1"* instead of* ,{"member":{"RoleId":"67691833-c6ab-4172-bff1-9deb176a486f","RoleName":"S3Access1"*
Updated by Pritha Srivastava about 1 year ago
Which tool are you using to list the roles? I tried aws iam cli command, boto3, but neither of them gave output in the format, that you have listed. I understand the issue, but I am unable to reproduce it with the tools that I have used.
aws iam list-roles --profile TESTER --endpoint-url=http://localhost:8000 --region=us-east
{
"Roles": [
{
"Path": "/application_abc/component_xyz/",
"RoleName": "S3Access1",
"RoleId": "7e62fc63-6432-4977-856a-c5c814c90a6a",
"Arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
"CreateDate": "2023-02-08T07:56:35.268Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/TESTER"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"MaxSessionDuration": 3600
},
{
"Path": "/application_abc/component_xyz/",
"RoleName": "S3Access2",
"RoleId": "0137934d-c1da-4d26-89e6-7dee732347b9",
"Arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access2",
"CreateDate": "2023-02-08T07:56:44.586Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/TESTER"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"MaxSessionDuration": 3600
}
]
}
and the o/p of boto3: {'Roles': [{'Path': '/application_abc/component_xyz/', 'RoleName': 'S3Access1', 'RoleId': '7e62fc63-6432-4977-856a-c5c814c90a6a', 'Arn': 'arn:aws:iam:::role/application_abc/component_xyz/S3Access1', 'CreateDate': datetime.datetime(2023, 2, 8, 7, 56, 35, 268000, tzinfo=tzutc()), 'AssumeRolePolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'AWS': ['arn:aws:iam:::user/TESTER']}, 'Action': ['sts:AssumeRole']}]}, 'MaxSessionDuration': 3600}, {'Path': '/application_abc/component_xyz/', 'RoleName': 'S3Access2', 'RoleId': '0137934d-c1da-4d26-89e6-7dee732347b9', 'Arn': 'arn:aws:iam:::role/application_abc/component_xyz/S3Access2', 'CreateDate': datetime.datetime(2023, 2, 8, 7, 56, 44, 586000, tzinfo=tzutc()), 'AssumeRolePolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'AWS': ['arn:aws:iam:::user/TESTER']}, 'Action': ['sts:AssumeRole']}]}, 'MaxSessionDuration': 3600}], 'ResponseMetadata': {'RequestId': 'tx00000b5189f3ff29e8f72-0063e35626-1031-default', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-request-id': 'tx00000b5189f3ff29e8f72-0063e35626-1031-default', 'content-type': 'application/xml', 'content-length': '1386', 'date': 'Wed, 08 Feb 2023 07:58:30 GMT', 'connection': 'Keep-Alive'}, 'RetryAttempts': 0}}
Updated by Pere Díaz Bou about 1 year ago
The issue is by running http request through the S3 api. To circumvent it I ran radosgw-admin commands directly.