To answer to myself and for those interested.
"You" just need one user in this case TESTER and policy_document has to be:
policy_document =
'''{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::TENANT:user/USER"]},"Action":["sts:AssumeRole"]}]}'''
If TENANT is TENANT1 and USER is USER1, then policy_document should be:
policy_document =
'''{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::TENANT1:user/USER1"]},"Action":["sts:AssumeRole"]}]}'''
Kind regards,
Rok
On Tue, Dec 16, 2025 at 3:55 PM Rok Jaklič via ceph-users <
[email protected]> wrote:
> I get an error like, when trying to assume role:
> response = sts_client.assume_role(
> File
> "/home/user/um-test-venv/lib64/python3.9/site-packages/botocore/client.py",
> line 602, in _api_call
> return self._make_api_call(operation_name, kwargs)
> File
>
> "/home/user/um-test-venv/lib64/python3.9/site-packages/botocore/context.py",
> line 123, in wrapper
> return func(*args, **kwargs)
> File
> "/home/user/um-test-venv/lib64/python3.9/site-packages/botocore/client.py",
> line 1078, in _make_api_call
> raise error_class(parsed_response, operation_name)
> botocore.exceptions.ClientError: An error occurred (Unknown) when calling
> the AssumeRole operation: Unknown
> (um-test-venv) [user@server ~]$ client_loop: send disconnect: Broken pipe
>
> Documentation is a little bit ambiguous. There is user TESTER and user
> TESTER1. Do I need to create both users?
>
> ---
>
> What is the right way to set policy and role for it if I have just USER1
> and TENANT1 and ACCESS_KEY1 and SECRET_KEY1 and want to have temporary
> credentials?
>
> On Tue, Dec 16, 2025 at 6:31 AM Pritha Srivastava <[email protected]>
> wrote:
>
> > Hi,
> >
> > The temporary credentials are present in the assume role call response.
> >
> > Thanks,
> > Pritha
> >
> >
> > On Tue, Dec 16, 2025 at 1:09 AM Rok Jaklič via ceph-users <
> > [email protected]> wrote:
> >
> >> Hi,
> >>
> >> I try to follow https://docs.ceph.com/en/reef/radosgw/STS/
> >>
> >> If I print role_response, there are no credentials in the response
> object?
> >> Where can I get credentials for TESTER1 after creating a role and
> setting
> >> policy for it?
> >>
> >> Kind regards,
> >> Rok
> >> _______________________________________________
> >> ceph-users mailing list -- [email protected]
> >> To unsubscribe send an email to [email protected]
> >>
> >>
> _______________________________________________
> ceph-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
