Bug #62541
opendocs: sts-AssumeRoleWithWebIdentity does not work for tenanted roles
0%
Description
having two roles using the same assume-role-policy-document defined like this
# create non-tenanted role
radosgw-admin role create --role-name='devS3Access' --path=/ \
--assume-role-policy-doc='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":["arn:aws:iam:::oidc-provider/192.168.100.69:9080/realms/aurora-dev"]},"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"192.168.100.69:9080/realms/aurora-dev:azp":"aurora-api-gateway-dev"}}}]}'
# create tenanted role
radosgw-admin role create --tenant tenant1 --role-name='tenant1S3Access' --path=/ \
--assume-role-policy-doc='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":["arn:aws:iam:::oidc-provider/192.168.100.69:9080/realms/aurora-dev"]},"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"192.168.100.69:9080/realms/aurora-dev:azp":"aurora-api-gateway-dev"}}}]}'
calling "sts asume-role-with-web-identity" works for the non tenanted role "devS3Access", but not for the tenanted role "tenant1S3Access"
[root@rook-ceph-tools-855599bf84-wpwhr /]# aws --endpoint=http://$AWS_HOST:$PORT sts assume-role-with-web-identity \
> --role-arn 'arn:aws:iam::tenant1:role/S3Access' \
> --role-session-name 'tenant1S3Access' \
> --web-identity-token "${ID_TOKEN_DEV}" \
> --duration-seconds 3600 >tenant1_secrets || echo FAILED
An error occurred (Unknown) when calling the AssumeRoleWithWebIdentity operation: Unknown
in the logs we can see this for the non-tenanted role:
debug 2023-08-22T11:28:14.541+0000 7f2b2359c700 10 req 18142818711300298359 0.000000000s sts:assume_role_web_identity cache get: name=my-store.rgw.meta+oidc+oidc_url.192.168.100.69:9080/realms/aurora-dev : hit (requested=0x1, cached=0x7)
but this for the tenanted role:
ebug 2023-08-22T11:23:44.114+0000 7f2b78646700 10 req 13090842789017334974 0.001000009s sts:assume_role_web_identity cache get: name=my-store.rgw.meta+oidc+tenant1oidc_url.192.168.100.69:9080/realms/aurora-dev : hit (negative entry) debug 2023-08-22T11:23:44.114+0000 7f2b78646700 0 req 13090842789017334974 0.001000009s sts:assume_role_web_identity Couldn't get oidc provider info using input isshttp://192.168.100.69:9080/realms/aurora-dev
Updated by Guenter Sandner 8 months ago
same issue if the correct role arn "arn:aws:iam::tenant1:role/tenant1S3Access" is used
Updated by Guenter Sandner 8 months ago
it works if the oidc provider is also tenanted; since the ARN of the oidc provider was specified in the assume role policy without any tenant inside, this requirement is not obvious and also not documented
Updated by Casey Bodley 8 months ago
- Status changed from New to Triaged
- Assignee set to Pritha Srivastava
- Tags set to sts tenant
Guenter Sandner wrote:
this ticket can be closed
thanks Guenter
@Pritha, can you please look over the docs to see if there's a way to clarify the use of tenants? if not, we can close
Updated by Pritha Srivastava 8 months ago
Casey Bodley wrote:
Guenter Sandner wrote:
this ticket can be closed
thanks Guenter
@Pritha, can you please look over the docs to see if there's a way to clarify the use of tenants? if not, we can close
I looked up the documentation - there is a gap here, the document needs more clarity on the usage of tenants.
Updated by Casey Bodley 7 months ago
- Subject changed from sts-AssumeRoleWithWebIdentity does not work for tenanted roles to docs: sts-AssumeRoleWithWebIdentity does not work for tenanted roles