Use the Multi-Cloud Object Gateway's Security Token Service to assume the role of another user - OpenShift Data Foundation 4.15 Developer preview

Solution Unverified - Updated

Issue

Starting with OpenShift Data Foundation 4.15, the Multi-Cloud Object Gateway (MCG) provides support to a security token service (STS) similar to the one provided by Amazon Web Services.

Resolution

  • To allow other users to assume the role of a certain user, it is necessary to assign a role configuration to the user.
    Currently, the only supported method of managing configuration roles is the MCG CLI tool.

An example role configuration that allows two MCG users (assumer@mcg.test and assumer2@mcg.test) to assume a certain user's role:

'{"role_name": "AllowTwoAssumers", "assume_role_policy": {"version": "2012-10-17", "statement": [ {"action": ["sts:AssumeRole"], "effect": "allow", "principal": ["assumer@mcg.test", "assumer2@mcg.test"]}]}}'

Assign the role configuration by using the MCG CLI tool -

mcg sts assign-role --email <assumed user's username> --role_config '{"role_name": "AllowTwoAssumers", "assume_role_policy": {"version": "2012-10-17", "statement": [ {"action": ["sts:AssumeRole"], "effect": "allow", "principal": ["assumer@mcg.test", "assumer2@mcg.test"]}]}}'

Before proceeding to assume the role, collect the following information as it is needed for the subsequent steps:

  1. The access key ID and secret access key of the assumer (the user who assumes the role)
  2. The MCG STS endpoint, which can be retrieved by running the command:
`oc -n openshift-storage get route`

NOTE: - adding --no-verify-ssl might be necessary depending on your cluster's configuration
3. The access key ID of the assumed user
4. The value of the role_name value in your role configuration
5. A name of your choice for the role session

After the configuration role is ready, it can be assigned to the appropriate user (fill any with the data described in the section above) -

AWS_ACCESS_KEY_ID=<1> AWS_SECRET_ACCESS_KEY=<1> aws --endpoint-url <2> sts assume-role --role-arn arn:aws:sts::<3>:role/<4> --role-session-name <5>

The resulting output will contain the access key ID and secret access key that can be used for executing actions while assuming the other user's role.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.