[ceph-users] Re: Using ID of a federated user in a bucket policy in RGW
Hi,
Can you try with the following ARN:
arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
The format of the user id is: $$ , and in
$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b, the '$' before oidc is a
separator for a tenant which is empty here, and ARN for a user is of the
format: arn:aws:iam:::user/, and hence the ARN here will
be arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
Thanks,
Pritha
On Wed, May 12, 2021 at 4:02 PM Daniel Iwan wrote:
> Hi all
>
> I'm working on the following scenario
> User is authenticated with OIDC and tries to access a bucket which it does
> not own.
> How to specify user ID etc. to give access to such a user?
>
> By trial and error I found out that principal can be specified as
> "Principal": {"Federated":["arn:aws:sts:::assumed-role/MySession"]},
>
> but I want to use shadow user ID or something similar as the principal
>
> Docs
> https://docs.ceph.com/en/latest/radosgw/STS/
> states:
> 'A shadow user is created corresponding to every federated user. The user
> id is derived from the ‘sub’ field of the incoming web token. The user is
> created in a separate namespace - ‘oidc’ such that the user id doesn’t
> clash with any other user ids in rgw. The format of the user id is -
> $$ where user-namespace is ‘oidc’ for users
> that authenticate with oidc providers.'
>
> I see a shadow user in Web UI as e.g. 7f71c7c5-c24f-418e-87ac-aa8fe271289b
> but I cannot work out the syntax of a user id, I was expecting something
> like
>
> "arn:aws:iam:::user/$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b"
>
> but when trying to list content of a bucket I get AccessDenied.
> If bucket policy has Principal "*" the my authenticated user can access the
> bucket
>
> Is this possible?
> Regards
> Daniel
> ___
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
>
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
[ceph-users] Re: Using ID of a federated user in a bucket policy in RGW
Hi Pritha
This is probably the only combination I haven't tried.
I was convinced it would have to be $oidc$
It worked brilliantly with the arn you suggested, thank you for that.
So does it mean that for a non-empty tenant we would have tenant name twice
like
arn:aws:iam::mytenant:user/mytenant$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
or would it be a single tenant name?
arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
If it's the second one, it relies on the fact that IDs are unique, which in
turns depends on the sub field in the token.
Regards
Daniel
On Wed, 12 May 2021 at 13:31, Pritha Srivastava wrote:
> Hi,
>
> Can you try with the following ARN:
>
> arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
>
> The format of the user id is: $$ , and in
> $oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b, the '$' before oidc is a
> separator for a tenant which is empty here, and ARN for a user is of the
> format: arn:aws:iam:::user/, and hence the ARN here will
> be arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
> Thanks,
> Pritha
>
> On Wed, May 12, 2021 at 4:02 PM Daniel Iwan wrote:
>
>> Hi all
>>
>> I'm working on the following scenario
>> User is authenticated with OIDC and tries to access a bucket which it does
>> not own.
>> How to specify user ID etc. to give access to such a user?
>>
>> By trial and error I found out that principal can be specified as
>> "Principal": {"Federated":["arn:aws:sts:::assumed-role/MySession"]},
>>
>> but I want to use shadow user ID or something similar as the principal
>>
>> Docs
>> https://docs.ceph.com/en/latest/radosgw/STS/
>> states:
>> 'A shadow user is created corresponding to every federated user. The user
>> id is derived from the ‘sub’ field of the incoming web token. The user is
>> created in a separate namespace - ‘oidc’ such that the user id doesn’t
>> clash with any other user ids in rgw. The format of the user id is -
>> $$ where user-namespace is ‘oidc’ for users
>> that authenticate with oidc providers.'
>>
>> I see a shadow user in Web UI as e.g. 7f71c7c5-c24f-418e-87ac-aa8fe271289b
>> but I cannot work out the syntax of a user id, I was expecting something
>> like
>>
>> "arn:aws:iam:::user/$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b"
>>
>> but when trying to list content of a bucket I get AccessDenied.
>> If bucket policy has Principal "*" the my authenticated user can access
>> the
>> bucket
>>
>> Is this possible?
>> Regards
>> Daniel
>> ___
>> ceph-users mailing list -- ceph-users@ceph.io
>> To unsubscribe send an email to ceph-users-le...@ceph.io
>>
>
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
[ceph-users] Re: Using ID of a federated user in a bucket policy in RGW
It would be the second one:
arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
Thanks,
Pritha
On Thu, May 13, 2021 at 3:54 PM Daniel Iwan wrote:
> Hi Pritha
>
> This is probably the only combination I haven't tried.
> I was convinced it would have to be $oidc$
> It worked brilliantly with the arn you suggested, thank you for that.
>
> So does it mean that for a non-empty tenant we would have tenant name twice
> like
>
> arn:aws:iam::mytenant:user/mytenant$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
>
> or would it be a single tenant name?
> arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
>
> If it's the second one, it relies on the fact that IDs are unique, which in
> turns depends on the sub field in the token.
>
> Regards
> Daniel
>
> On Wed, 12 May 2021 at 13:31, Pritha Srivastava
> wrote:
>
> > Hi,
> >
> > Can you try with the following ARN:
> >
> > arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
> >
> > The format of the user id is: $$ , and in
> > $oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b, the '$' before oidc is a
> > separator for a tenant which is empty here, and ARN for a user is of the
> > format: arn:aws:iam:::user/, and hence the ARN here will
> > be arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
> > Thanks,
> > Pritha
> >
> > On Wed, May 12, 2021 at 4:02 PM Daniel Iwan
> wrote:
> >
> >> Hi all
> >>
> >> I'm working on the following scenario
> >> User is authenticated with OIDC and tries to access a bucket which it
> does
> >> not own.
> >> How to specify user ID etc. to give access to such a user?
> >>
> >> By trial and error I found out that principal can be specified as
> >> "Principal": {"Federated":["arn:aws:sts:::assumed-role/MySession"]},
> >>
> >> but I want to use shadow user ID or something similar as the principal
> >>
> >> Docs
> >> https://docs.ceph.com/en/latest/radosgw/STS/
> >> states:
> >> 'A shadow user is created corresponding to every federated user. The
> user
> >> id is derived from the ‘sub’ field of the incoming web token. The user
> is
> >> created in a separate namespace - ‘oidc’ such that the user id doesn’t
> >> clash with any other user ids in rgw. The format of the user id is -
> >> $$ where user-namespace is ‘oidc’ for users
> >> that authenticate with oidc providers.'
> >>
> >> I see a shadow user in Web UI as e.g.
> 7f71c7c5-c24f-418e-87ac-aa8fe271289b
> >> but I cannot work out the syntax of a user id, I was expecting something
> >> like
> >>
> >> "arn:aws:iam:::user/$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b"
> >>
> >> but when trying to list content of a bucket I get AccessDenied.
> >> If bucket policy has Principal "*" the my authenticated user can access
> >> the
> >> bucket
> >>
> >> Is this possible?
> >> Regards
> >> Daniel
> >> ___
> >> ceph-users mailing list -- ceph-users@ceph.io
> >> To unsubscribe send an email to ceph-users-le...@ceph.io
> >>
> >
> ___
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
>
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
