rgw/sts: Use client_id for assumerolewithwebidentityresponse

author Pritha Srivastava <prsrivas@redhat.com>

Mon, 17 Feb 2025 08:11:15 +0000 (13:41 +0530)

committer Pritha Srivastava <prsrivas@redhat.com>

Wed, 30 Apr 2025 07:39:49 +0000 (13:09 +0530)
author Pritha Srivastava <prsrivas@redhat.com>
Mon, 17 Feb 2025 08:11:15 +0000 (13:41 +0530)
committer Pritha Srivastava <prsrivas@redhat.com>
Wed, 30 Apr 2025 07:39:49 +0000 (13:09 +0530)
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc

index 7ec32cc0a238837fb6f58ba5933c4c2ebee1c46d..02da9df58f896de71268e2206445ddfcc5284a01 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -692,7 +692,15 @@ void rgw::auth::WebIdentityApplier::load_acct_info(const DoutPrefixProvider* dpp
  void rgw::auth::WebIdentityApplier::modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const
  {
    s->info.args.append("sub", this->sub);
-  s->info.args.append("aud", this->aud);
+  //this is needed for AssumeRoleWithWebIdentityResponse
+  //but if aud is not present in the token, client id can be used
+  //from AWS docs - "The intended audience (also known as client ID) of the web identity token."
+  //https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
+  if (this->aud.empty() && !this->client_id.empty()) {
+    s->info.args.append("aud", this->client_id);
+  } else {
+    s->info.args.append("aud", this->aud);
+  }
    s->info.args.append("provider_id", this->iss);
    s->info.args.append("client_id", this->client_id);
author	Pritha Srivastava <prsrivas@redhat.com>
	Mon, 17 Feb 2025 08:11:15 +0000 (13:41 +0530)
committer	Pritha Srivastava <prsrivas@redhat.com>
	Wed, 30 Apr 2025 07:39:49 +0000 (13:09 +0530)