From: Pritha Srivastava Date: Wed, 14 Jul 2021 10:33:22 +0000 (+0530) Subject: rgw/sts: documentation related to supporting all claims X-Git-Tag: v17.1.0~969^2~5 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=192d208147e7fc44a5f3650cdeca66048c0c9368;p=ceph.git rgw/sts: documentation related to supporting all claims in the JWT in the condition of the trust policy. Signed-off-by: Pritha Srivastava --- diff --git a/doc/radosgw/STS.rst b/doc/radosgw/STS.rst index d843ea5d37c1..1d3ca46e007e 100644 --- a/doc/radosgw/STS.rst +++ b/doc/radosgw/STS.rst @@ -63,13 +63,22 @@ Parameters: Before invoking AssumeRoleWithWebIdentity, an OpenID Connect Provider entity (which the web application authenticates with), needs to be created in RGW. -The trust between the IDP and the role is created by adding a Condition to the role trust policy, which -allows access only to applications with the app id given in the trust policy document. The Condition -is of the form:: +The trust between the IDP and the role is created by adding a condition to the role's trust policy, which +allows access only to applications which satisfy the given condition. +All claims of the JWT are supported in the condition of the role's trust policy. +An example of a policy that uses the 'aud' claim in the condition is of the form:: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\" :app_id\":\"\"\}\}\}\]\}" -The app_id in the condition above must match the 'aud' field of the incoming token. +The app_id in the condition above must match the 'aud' claim of the incoming token. + +An example of a policy that uses the 'sub' claim in the condition is of the form:: + + "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\" :sub\":\"\"\}\}\}\]\}" + +Similarly, an example of a policy that uses 'azp' claim in the condition is of the form:: + + "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\" :azp\":\"\"\}\}\}\]\}" A shadow user is created corresponding to every federated user. The user id is derived from the 'sub' field of the incoming web token. The user is created in a separate namespace - 'oidc' such that the user id doesn't clash with any other user ids in rgw. The format of the user id