[ceph-users] Re: RGW STS - MalformedPolicyDocument
I found the error, I was using a json with indentation (in the aws it worked).
When I put this format without spaces it worked. Maybe it would be interesting
to put this note on the page, about how json needs to be formatted. Thank you
very much, I was trying to make it work for days.
De: "Pritha Srivastava"
Para: "marcelo.miziara serpro"
Cc: "ceph-users"
Enviadas: Domingo, 5 de setembro de 2021 13:02:58
Assunto: Re: [ceph-users] Re: RGW STS - MalformedPolicyDocument
I tried the aws iam create role on master today and it worked for me. I've used
your policy file with "Main" corrected to "Principal", like below:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam:::user/someuser"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
}
Thanks,
Pritha
On Sun, Sep 5, 2021 at 9:11 PM Marcelo Mariano Miziara < [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=NDkyNzc5QURCNkUuQTlDNUI=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOm1hcmNlbG8ubWl6aWFyYUBzZXJwcm8uZ292LmJy
| marcelo.mizi...@serpro.gov.br ] > wrote:
Hi Pritha, thanks for the answer.
Even changing to Principal I still get the MalformedPolicyDocument. I tested
with aws cli versions 1 and 2, both returning the error message. I put JSON in
several validators to see if there were any errors and it seems to be okay. I
don't know if I'm missing something in the aws cli configuration, my
credentials are:
[default]
aws_access_key_id = < admin-api-user key >
aws_secret_access_key = < admin-api-user secret >
And my config:
[default]
region = US
output = json
And I checked that no rule with the same same exists.
With the example python from the page [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=NDkyNzc5QURCNkUuQTlDNUI=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=aHR0cHM6Ly9kb2NzLmNlcGguY29tL2VuL2xhdGVzdC9yYWRvc2d3L1NUUy8=
| https://docs.ceph.com/en/latest/radosgw/STS/ ] it worked (it has an extra
"]" that needs to be removed in the policy_document variable).
Thanks again, Marcelo.
De: "Pritha Srivastava" < [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=NDkyNzc5QURCNkUuQTlDNUI=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOnByc3JpdmFzQHJlZGhhdC5jb20=
| prsri...@redhat.com ] >
Para: "marcelo.miziara serpro" < [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=NDkyNzc5QURCNkUuQTlDNUI=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOm1hcmNlbG8ubWl6aWFyYUBzZXJwcm8uZ292LmJy
| marcelo.mizi...@serpro.gov.br ] >
Cc: "ceph-users" < [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=NDkyNzc5QURCNkUuQTlDNUI=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOmNlcGgtdXNlcnNAY2VwaC5pbw==
| ceph-users@ceph.io ] >
Enviadas: Domingo, 5 de setembro de 2021 7:07:14
Assunto: Re: [ceph-users] RGW STS - MalformedPolicyDocument
Hi Marcelo,
Your trust policy has an error:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
" Main ":{
"AWS":[
"arn:aws:iam:::user/someuser"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
}
In place of 'Main', use 'Principal' as you have done for the radosgw-admin role
create command.
Thanks,
Pritha
On Fri, Sep 3, 2021 at 9:30 PM Marcelo Mariano Miziara < [ [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOm1hcmNlbG8ubWl6aWFyYUBzZXJwcm8uZ292LmJy
|
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOm1hcmNlbG8ubWl6aWFyYUBzZXJwcm8uZ292LmJy
] | [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=NDkyNzc5QURCNkUuQTlDNUI=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOm1hcmNlbG8ubWl6aWFyYUBzZXJwcm8uZ292LmJy
| marcelo.mizi...@serpro.gov.br ] ] > wro
[ceph-users] Re: RGW STS - MalformedPolicyDocument
I tried the aws iam create role on master today and it worked for me. I've
used your policy file with "Main" corrected to "Principal", like below:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam:::user/someuser"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
}
Thanks,
Pritha
On Sun, Sep 5, 2021 at 9:11 PM Marcelo Mariano Miziara <
marcelo.mizi...@serpro.gov.br> wrote:
> Hi Pritha, thanks for the answer.
>
> Even changing to Principal I still get the MalformedPolicyDocument. I
> tested with aws cli versions 1 and 2, both returning the error message. I
> put JSON in several validators to see if there were any errors and it seems
> to be okay. I don't know if I'm missing something in the aws cli
> configuration, my credentials are:
> [default]
> aws_access_key_id = < admin-api-user key >
> aws_secret_access_key = < admin-api-user secret >
>
> And my config:
> [default]
> region = US
> output = json
>
> And I checked that no rule with the same same exists.
>
> With the example python from the page
> https://docs.ceph.com/en/latest/radosgw/STS/ it worked (it has an extra
> "]" that needs to be removed in the policy_document variable).
>
> Thanks again, Marcelo.
>
>
> De: "Pritha Srivastava"
> Para: "marcelo.miziara serpro"
> Cc: "ceph-users"
> Enviadas: Domingo, 5 de setembro de 2021 7:07:14
> Assunto: Re: [ceph-users] RGW STS - MalformedPolicyDocument
>
> Hi Marcelo,
>
> Your trust policy has an error:
>
> {
> "Version":"2012-10-17",
> "Statement":[
> {
> "Effect":"Allow",
> " Main ":{
> "AWS":[
> "arn:aws:iam:::user/someuser"
> ]
> },
> "Action":[
> "sts:AssumeRole"
> ]
> }
> ]
> }
>
> In place of 'Main', use 'Principal' as you have done for the radosgw-admin
> role create command.
>
> Thanks,
> Pritha
>
> On Fri, Sep 3, 2021 at 9:30 PM Marcelo Mariano Miziara < [
> https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOm1hcmNlbG8ubWl6aWFyYUBzZXJwcm8uZ292LmJy
> | marcelo.mizi...@serpro.gov.br ] > wrote:
>
>
> Hello all!
>
> I'm having a hard time trying to get the STS to work. I want to give a
> user "someuser" the ability to assumerole. I don't know if I got it wrong
> how to do it, or if my json is spelled wrong.
>
> I've done tests on the latest versions of nautilus, octopus and pacific,
> and I always get the same message.
>
> In RGW I added the following settings:
> -
> rgw_s3_auth_use_sts = true
> rgw_sts_key = "abcdefghijklmnop"
> -
>
> Then I create a user "admin-api-user", giving the following caps:
> -
> # radosgw-admin caps add --uid admin-api-user --caps
> "users=*;buckets=*;metadata=*;usage=*;roles=*;user-policy=*"
> -
>
> But when I try to create a role using aws cli, I get an error message:
> -
> # aws --endpoint= [
> https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=aHR0cDovLzEwLjc5LjM1LjI0NTo3NDgw
> | http://10.79.35.245:7480 ] iam create-role --role-name=role1
> --assume-role-policy-document file://policy_document.json
>
> An error occurred (Unknown) when calling the CreateRole operation: Unknown
> -
>
> Running the above command with debug, on one of the lines comes the
> following message:
> -
> 2021-09-02 10:07:56,138 - MainThread - botocore.parsers - DEBUG - Response
> body:
> b' encoding="UTF-8"?>MalformedPolicyDocumenttx01-006130ccac-b3b82-defaultb3b82-default
> -default'
> -
>
> My policy_document.json is like this:
> -
> {
> "Version":"2012-10-17",
> "Statement":[
> {
> "Effect":"Allow",
> "Main":{
> "AWS":[
> "arn:aws:iam:::user/someuser"
> ]
> },
> "Action":[
> "sts:AssumeRole"
> ]
> }
> ]
> }
> -
>
> If I run the the radosgw-admin command with the same JSON (but with
> escaped characters), it works:
> -
> # radosgw-admin role create --role-name=role1
> --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/someuser\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
>
> {
> "RoleId": "007ed38e-a072-43a4-94f3-2958e5a19408",
> "RoleName": "role1",
> "Path": "/",
> "Arn": "arn:aws:iam:::role/role1",
> "CreateDate": "2021-09-02T13:19:39.721Z",
> "MaxSessionDuration": 3600,
> "AssumeRolePolicyDocument":
> "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/someuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
>
> }
> -
>
>
> Does anyone have any idea where I might be going wrong? I did a test on
> aws, with the same JSON (adding my arn account) a
[ceph-users] Re: RGW STS - MalformedPolicyDocument
Hi Pritha, thanks for the answer.
Even changing to Principal I still get the MalformedPolicyDocument. I tested
with aws cli versions 1 and 2, both returning the error message. I put JSON in
several validators to see if there were any errors and it seems to be okay. I
don't know if I'm missing something in the aws cli configuration, my
credentials are:
[default]
aws_access_key_id = < admin-api-user key >
aws_secret_access_key = < admin-api-user secret >
And my config:
[default]
region = US
output = json
And I checked that no rule with the same same exists.
With the example python from the page
https://docs.ceph.com/en/latest/radosgw/STS/ it worked (it has an extra "]"
that needs to be removed in the policy_document variable).
Thanks again, Marcelo.
De: "Pritha Srivastava"
Para: "marcelo.miziara serpro"
Cc: "ceph-users"
Enviadas: Domingo, 5 de setembro de 2021 7:07:14
Assunto: Re: [ceph-users] RGW STS - MalformedPolicyDocument
Hi Marcelo,
Your trust policy has an error:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
" Main ":{
"AWS":[
"arn:aws:iam:::user/someuser"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
}
In place of 'Main', use 'Principal' as you have done for the radosgw-admin role
create command.
Thanks,
Pritha
On Fri, Sep 3, 2021 at 9:30 PM Marcelo Mariano Miziara < [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOm1hcmNlbG8ubWl6aWFyYUBzZXJwcm8uZ292LmJy
| marcelo.mizi...@serpro.gov.br ] > wrote:
Hello all!
I'm having a hard time trying to get the STS to work. I want to give a user
"someuser" the ability to assumerole. I don't know if I got it wrong how to do
it, or if my json is spelled wrong.
I've done tests on the latest versions of nautilus, octopus and pacific, and I
always get the same message.
In RGW I added the following settings:
-
rgw_s3_auth_use_sts = true
rgw_sts_key = "abcdefghijklmnop"
-
Then I create a user "admin-api-user", giving the following caps:
-
# radosgw-admin caps add --uid admin-api-user --caps
"users=*;buckets=*;metadata=*;usage=*;roles=*;user-policy=*"
-
But when I try to create a role using aws cli, I get an error message:
-
# aws --endpoint= [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=aHR0cDovLzEwLjc5LjM1LjI0NTo3NDgw
| http://10.79.35.245:7480 ] iam create-role --role-name=role1
--assume-role-policy-document file://policy_document.json
An error occurred (Unknown) when calling the CreateRole operation: Unknown
-
Running the above command with debug, on one of the lines comes the following
message:
-
2021-09-02 10:07:56,138 - MainThread - botocore.parsers - DEBUG - Response
body:
b'MalformedPolicyDocumenttx01-006130ccac-b3b82-defaultb3b82-default
-default'
-
My policy_document.json is like this:
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Main":{
"AWS":[
"arn:aws:iam:::user/someuser"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
}
-
If I run the the radosgw-admin command with the same JSON (but with escaped
characters), it works:
-
# radosgw-admin role create --role-name=role1
--assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/someuser\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
{
"RoleId": "007ed38e-a072-43a4-94f3-2958e5a19408",
"RoleName": "role1",
"Path": "/",
"Arn": "arn:aws:iam:::role/role1",
"CreateDate": "2021-09-02T13:19:39.721Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument":
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/someuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}
-
Does anyone have any idea where I might be going wrong? I did a test on aws,
with the same JSON (adding my arn account) and it worked.
Thanks, Marcelo!
___
ceph-users mailing list -- [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c45272034c5174fcaa&URLCHECKHSCMLI09132012warnning=bWFpbHRvOmNlcGgtdXNlcnNAY2VwaC5pbw==
| ceph-users@ceph.io ]
To unsubscribe send an email to [
https://mail-inspector.serpro.gov.br/mailinspector/tap/WarningUrlPage.php?HSCTYPE=0&HSCRULE=4&HSCID=OTM1Q0I0OEYwODkuQTc4N0Q=&HSCMLICHECKID0005=b70b7db3446fb5c4527
[ceph-users] Re: RGW STS - MalformedPolicyDocument
Hi Marcelo,
Your trust policy has an error:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"*Main*":{
"AWS":[
"arn:aws:iam:::user/someuser"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
}
In place of 'Main', use 'Principal' as you have done for the radosgw-admin
role create command.
Thanks,
Pritha
On Fri, Sep 3, 2021 at 9:30 PM Marcelo Mariano Miziara <
marcelo.mizi...@serpro.gov.br> wrote:
> Hello all!
>
> I'm having a hard time trying to get the STS to work. I want to give a
> user "someuser" the ability to assumerole. I don't know if I got it wrong
> how to do it, or if my json is spelled wrong.
>
> I've done tests on the latest versions of nautilus, octopus and pacific,
> and I always get the same message.
>
> In RGW I added the following settings:
> -
> rgw_s3_auth_use_sts = true
> rgw_sts_key = "abcdefghijklmnop"
> -
>
> Then I create a user "admin-api-user", giving the following caps:
> -
> # radosgw-admin caps add --uid admin-api-user --caps
> "users=*;buckets=*;metadata=*;usage=*;roles=*;user-policy=*"
> -
>
> But when I try to create a role using aws cli, I get an error message:
> -
> # aws --endpoint=http://10.79.35.245:7480 iam create-role
> --role-name=role1 --assume-role-policy-document file://policy_document.json
>
> An error occurred (Unknown) when calling the CreateRole operation: Unknown
> -
>
> Running the above command with debug, on one of the lines comes the
> following message:
> -
> 2021-09-02 10:07:56,138 - MainThread - botocore.parsers - DEBUG - Response
> body:
> b' encoding="UTF-8"?>MalformedPolicyDocumenttx01-006130ccac-b3b82-defaultb3b82-default
> -default'
> -
>
> My policy_document.json is like this:
> -
> {
> "Version":"2012-10-17",
> "Statement":[
> {
> "Effect":"Allow",
> "Main":{
> "AWS":[
> "arn:aws:iam:::user/someuser"
> ]
> },
> "Action":[
> "sts:AssumeRole"
> ]
> }
> ]
> }
> -
>
> If I run the the radosgw-admin command with the same JSON (but with
> escaped characters), it works:
> -
> # radosgw-admin role create --role-name=role1
> --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/someuser\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
>
> {
> "RoleId": "007ed38e-a072-43a4-94f3-2958e5a19408",
> "RoleName": "role1",
> "Path": "/",
> "Arn": "arn:aws:iam:::role/role1",
> "CreateDate": "2021-09-02T13:19:39.721Z",
> "MaxSessionDuration": 3600,
> "AssumeRolePolicyDocument":
> "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/someuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
>
> }
> -
>
>
> Does anyone have any idea where I might be going wrong? I did a test on
> aws, with the same JSON (adding my arn account) and it worked.
>
> Thanks, Marcelo!
>
> ___
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
>
>
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
