From: Pritha Srivastava Date: Fri, 30 Jul 2021 10:22:58 +0000 (+0530) Subject: rgw/sts: documentation related to tag, list tags X-Git-Tag: v17.1.0~969^2~3 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=73032e05e5455657b8630f841a0e6c5e9748a176;p=ceph.git rgw/sts: documentation related to tag, list tags and untag REST APIs for a role. Signed-off-by: Pritha Srivastava --- diff --git a/doc/radosgw/role.rst b/doc/radosgw/role.rst index a774624315a3..97cfa85beaaf 100644 --- a/doc/radosgw/role.rst +++ b/doc/radosgw/role.rst @@ -410,3 +410,114 @@ Delete Policy attached to a Role Example:: POST "?Action=DeleteRolePolicy&RoleName=S3Access&PolicyName=Policy1" + +Tag a role +---------- +A role can have multivalued tags attached to it. These tags can be passed in as part of CreateRole REST API also. +AWS does not support multi-valued role tags. + +Example:: + POST "?Action=TagRole&RoleName=S3Access&Tags.member.1.Key=Department&Tags.member.1.Value=Engineering" + +.. code-block:: XML + + + + tx000000000000000000004-00611f337e-1027-default + + + + +List role tags +-------------- +Lists the tags attached to a role. + +Example:: + POST "?Action=ListRoleTags&RoleName=S3Access" + +.. code-block:: XML + + + + + + Department + Engineering + + + + + tx000000000000000000005-00611f337e-1027-default + + + +Delete role tags +---------------- +Delete a tag/ tags attached to a role. + +Example:: + POST "?Action=UntagRoles&RoleName=S3Access&TagKeys.member.1=Department" + +.. code-block:: XML + + + + tx000000000000000000007-00611f337e-1027-default + + + + +Sample code for tagging, listing tags and untagging a role +---------------------------------------------------------- + +The following is sample code for adding tags to role, listing tags and untagging a role using boto3. + +.. code-block:: python + + import boto3 + + access_key = 'TESTER' + secret_key = 'test123' + + iam_client = boto3.client('iam', + aws_access_key_id=access_key, + aws_secret_access_key=secret_key, + endpoint_url='http://s3.us-east.localhost:8000', + region_name='' + ) + + policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/quickstart:sub\":\"user1\"}}}]}" + + print ("\n Creating Role with tags\n") + tags_list = [ + {'Key':'Department','Value':'Engineering'} + ] + role_response = iam_client.create_role( + AssumeRolePolicyDocument=policy_document, + Path='/', + RoleName='S3Access', + Tags=tags_list, + ) + + print ("Adding tags to role\n") + response = iam_client.tag_role( + RoleName='S3Access', + Tags= [ + {'Key':'CostCenter','Value':'123456'} + ] + ) + print ("Listing role tags\n") + response = iam_client.list_role_tags( + RoleName='S3Access' + ) + print (response) + print ("Untagging role\n") + response = iam_client.untag_role( + RoleName='S3Access', + TagKeys=[ + 'Department', + ] + ) + + + diff --git a/doc/radosgw/session-tags.rst b/doc/radosgw/session-tags.rst index a72cf0532512..ee8d42bb1779 100644 --- a/doc/radosgw/session-tags.rst +++ b/doc/radosgw/session-tags.rst @@ -107,6 +107,8 @@ An example of a role permission policy that uses aws:PrincipalTag is as follows: 3. iam:ResourceTag: This key is used to compare the key-value pair attached to the resource with the key-value pair in the policy. In case of AssumeRoleWithWebIdentity, tags attached to the role can be used to compare with that in the trust policy to allow a user to assume a role. +RGW now supports REST APIs for tagging, listing tags and untagging actions on a role. More information related to +role tagging can be found here :doc:`role`. An example of a role's trust policy that uses aws:ResourceTag is as follows: