Hi, When working with IAM Roles, when writing the doc policy that will allow a user to assume a role by matching the condition in the policy, the rules, and expressions on the condition can get pretty complicated, and currently, there is no easy way to check in our RGW debug 20 logs why the policy evaluation engine is allowing or denying and specific incoming assume role request. Currently, the debug 20 logs when we get an error show: "logging of the Policy evaluation engine" Without giving any other further detail, it would improve the debugging experience and work with roles if we could get something like: "Evaluating policy X failed, not matching. Doc Policy on Role: arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart , incoming condition: "Principal":{"Federated":["arn:aws:iam:::oidc-provider/keycloak-sso.apps.ocp.local/auth/realms/ceph"]} don't match" This will help us pinpoint the issue immediately; it has been the case with customers that a small typo in the policy will take a very long time to debug because of this.
Please specify the severity of this bug. Severity is defined here: https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.