From 9da610b679d688360c51f46e29a11a15da5868a1 Mon Sep 17 00:00:00 2001 From: Ville Ojamo <14869000+bluikko@users.noreply.github.com> Date: Wed, 1 Jul 2026 16:14:27 +0700 Subject: [PATCH] doc/radosgw: improve style slightly in STS.rst Fix capitalization and remove unnecessary dashes in text. Use double backticks for literals. Signed-off-by: Ville Ojamo --- doc/radosgw/STS.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/radosgw/STS.rst b/doc/radosgw/STS.rst index 916cb905d6a..946f15c09a7 100644 --- a/doc/radosgw/STS.rst +++ b/doc/radosgw/STS.rst @@ -30,10 +30,10 @@ The following STS REST APIs have been implemented in Ceph Object Gateway: **DurationSeconds** (Integer/ Optional): The duration in seconds of the session. Its default value is 3600. - **ExternalId** (String/ Optional): A unique Id that might be used when a role is + **ExternalId** (String/ Optional): A unique ID that might be used when a role is assumed in another account. - **SerialNumber** (String/ Optional): The Id number of the MFA device associated + **SerialNumber** (String/ Optional): The ID number of the MFA device associated with the user making the AssumeRole call. **TokenCode** (String/ Optional): The value provided by the MFA device, if the @@ -91,9 +91,9 @@ Similarly, an example of a policy that uses 'azp' claim in the condition is of t "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\" :azp\":\"\"\}\}\}\]\}" -A shadow user is created corresponding to every federated user. The user id is derived from the 'sub' field of the incoming web token. -The user is created in a separate namespace - 'oidc' such that the user id doesn't clash with any other user ids in RGW. The format of the user id -is - ``$$`` where user-namespace is 'oidc' for users that authenticate with oidc providers. +A shadow user is created corresponding to every federated user. The user ID is derived from the ``sub`` field of the incoming web token. +The user is created in a separate namespace ``oidc`` such that the user ID doesn't clash with any other user IDs in RGW. The format of the user ID +is ``$$`` where ``user-namespace`` is ``oidc`` for users that authenticate with OIDC providers. RGW now supports Session tags that can be passed in the web token to AssumeRoleWithWebIdentity call. More information related to Session Tags can be found here :doc:`session-tags`. -- 2.47.3