Actions
Bug #62541
opendocs: sts-AssumeRoleWithWebIdentity does not work for tenanted roles
% Done:
0%
Source:
Tags:
sts tenant
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
having two roles using the same assume-role-policy-document defined like this
# create non-tenanted role radosgw-admin role create --role-name='devS3Access' --path=/ \ --assume-role-policy-doc='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":["arn:aws:iam:::oidc-provider/192.168.100.69:9080/realms/aurora-dev"]},"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"192.168.100.69:9080/realms/aurora-dev:azp":"aurora-api-gateway-dev"}}}]}' # create tenanted role radosgw-admin role create --tenant tenant1 --role-name='tenant1S3Access' --path=/ \ --assume-role-policy-doc='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":["arn:aws:iam:::oidc-provider/192.168.100.69:9080/realms/aurora-dev"]},"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"192.168.100.69:9080/realms/aurora-dev:azp":"aurora-api-gateway-dev"}}}]}'
calling "sts asume-role-with-web-identity" works for the non tenanted role "devS3Access", but not for the tenanted role "tenant1S3Access"
[root@rook-ceph-tools-855599bf84-wpwhr /]# aws --endpoint=http://$AWS_HOST:$PORT sts assume-role-with-web-identity \ > --role-arn 'arn:aws:iam::tenant1:role/S3Access' \ > --role-session-name 'tenant1S3Access' \ > --web-identity-token "${ID_TOKEN_DEV}" \ > --duration-seconds 3600 >tenant1_secrets || echo FAILED An error occurred (Unknown) when calling the AssumeRoleWithWebIdentity operation: Unknown
in the logs we can see this for the non-tenanted role:
debug 2023-08-22T11:28:14.541+0000 7f2b2359c700 10 req 18142818711300298359 0.000000000s sts:assume_role_web_identity cache get: name=my-store.rgw.meta+oidc+oidc_url.192.168.100.69:9080/realms/aurora-dev : hit (requested=0x1, cached=0x7)
but this for the tenanted role:
ebug 2023-08-22T11:23:44.114+0000 7f2b78646700 10 req 13090842789017334974 0.001000009s sts:assume_role_web_identity cache get: name=my-store.rgw.meta+oidc+tenant1oidc_url.192.168.100.69:9080/realms/aurora-dev : hit (negative entry) debug 2023-08-22T11:23:44.114+0000 7f2b78646700 0 req 13090842789017334974 0.001000009s sts:assume_role_web_identity Couldn't get oidc provider info using input isshttp://192.168.100.69:9080/realms/aurora-dev
Actions