Bug 2006194

*** Bug 2007306 has been marked as a duplicate of this bug. ***

Not observing issue ceph version 16.2.7-18.el8cp (86cfa49b08da370afb3f98be618f2c3c1eae71fb) pacific (stable)


[ceph: root@magna004 /]# radosgw-admin role get  --role-name=S3Access1  
{
    "RoleId": "1f9e39e4-668f-4062-a22a-604d3c943afb",
    "RoleName": "S3Access1",
    "Path": "/application_abc/component_xyz/",
    "Arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
    "CreateDate": "2022-01-10T10:02:18.504Z",
    "MaxSessionDuration": 3600,
    "AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/sts2\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}
[ceph: root@magna004 /]#  radosgw-admin role-policy get --role-name=S3Access1 --policy-name=Policy1
{
    "Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":\"*\"}]}"
}
[ceph: root@magna004 /]# 


[root@magna009 ~]#  aws sts assume-role  --role-arn "arn:aws:iam:::role/application_abc/component_xyz/S3Access1"  --role-session-name "s3-session"  --endpoint http://10.8.128.9:8080 > assume_role_output
[root@magna009 ~]# cat assume_role_output
{
    "Credentials": {
        "AccessKeyId": "iO0rtrSVQM0P5EkMspa",
        "SecretAccessKey": "H4PBFHTZ273S09XOOO88MVFHS1YI3NIDZ77P3V1",
        "SessionToken": "7bzGMjefZh252zqlZP0YicoUz17QGuM/IwsmATOmXvxK1587ZZKykvvrCS6FTKdbn59iXgN9ViA6kVA8r0s8DJ9lr9uePJH69525i5yEaDsUY2viqHMO8LwiumH73jwFNgaKrW7lHd2Xz07kJT9g/AltJZQKLvIWLadaFDwTRBC3wmPhdyp9lFg7iyHR7Mng0zb09R/i0C+yD484JOQb13Dip4RrJH1D6hs4EjaiLTRBF3JBHXXlGELr5BNIkctVGS6z0WJ+pfeZJNWfG5BZGPFN0L/zVmVyc/PJ5e23KOlBQdieV8nVkiQsfXy7Kcc1GyoC9PpsvFsqvzK55wy1OA==",
        "Expiration": "2022-01-10T12:02:42.468916688Z"
    },
    "AssumedRoleUser": {
        "Arn": "arn:aws:sts:::assumed-role/application_abc/component_xyz/S3Access1/s3-session"
    },
    "PackedPolicySize": 0
}
[root@magna009 ~]# export AWS_ACCESS_KEY_ID=iO0rtrSVQM0P5EkMspa
[root@magna009 ~]# export AWS_SECRET_ACCESS_KEY=H4PBFHTZ273S09XOOO88MVFHS1YI3NIDZ77P3V1
[root@magna009 ~]#  export AWS_SESSION_TOKEN=7bzGMjefZh252zqlZP0YicoUz17QGuM/IwsmATOmXvxK1587ZZKykvvrCS6FTKdbn59iXgN9ViA6kVA8r0s8DJ9lr9uePJH69525i5yEaDsUY2viqHMO8LwiumH73jwFNgaKrW7lHd2Xz07kJT9g/AltJZQKLvIWLadaFDwTRBC3wmPhdyp9lFg7iyHR7Mng0zb09R/i0C+yD484JOQb13Dip4RrJH1D6hs4EjaiLTRBF3JBHXXlGELr5BNIkctVGS6z0WJ+pfeZJNWfG5BZGPFN0L/zVmVyc/PJ5e23KOlBQdieV8nVkiQsfXy7Kcc1GyoC9PpsvFsqvzK55wy1OA==
[root@magna009 ~]# aws s3api create-bucket --bucket new-bt1  --endpoint http://10.8.128.9:8080
[root@magna009 ~]#  aws s3 cp assume_role_output s3://new-bt1/file1  --endpoint http://10.8.128.9:8080
upload: ./assume_role_output to s3://new-bt1/file1                 
[root@magna009 ~]# aws s3api create-bucket --bucket new-bt2  --endpoint http://10.8.128.9:8080
[root@magna009 ~]# aws s3api copy-object --copy-source new-bt1/file1 --key file1  --bucket new-bt2 --endpoint http://10.8.128.9:8080
{
    "CopyObjectResult": {
        "ETag": "eeed343e98f7de0e5ecf51ca86a31ad6",
        "LastModified": "2022-01-10T11:06:22.409Z"
    }
}
[root@magna009 ~]# ceph -v
ceph version 16.2.7-18.el8cp (86cfa49b08da370afb3f98be618f2c3c1eae71fb) pacific (stable)
[root@magna009 ~]#

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 5.1 Security, Enhancement, and Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1174