Multicloud Object Gateway (MCG) supports for a security token service (STS) similar to
the one provided by Amazon Web Services. This STS of the MCG authorizes a user to assume the role of
another user.
About this task
To authorize other users to assume the role of a certain user, you need to assign a role
configuration to the user. You can manage the configuration of roles that use the MCG command-line
interface (CLI) tool.
The following example shows the role configuration that allows two MCG users
(assumer@mcg.test and assumer2@mcg.test) to assume a certain
user’s role:
'{"role_name": "AllowTwoAssumers", "assume_role_policy": {"version": "2012-10-17", "statement": [ {"action": ["sts:AssumeRole"], "effect": "allow", "principal": ["assumer@mcg.test", "assumer2@mcg.test"]}]}}'
Procedure
-
Assign the role configuration by using the MCG CLI tool.
mcg sts assign-role --email <assumed user's username> --role_config '{"role_name": "AllowTwoAssumers", "assume_role_policy": {"version": "2012-10-17", "statement": [ {"action": ["sts:AssumeRole"], "effect": "allow", "principal": ["assumer@mcg.test", "assumer2@mcg.test"]}]}}'
- Collect the following information:
- Assign the configuration role to the appropriate user.
AWS_ACCESS_KEY_ID=<aws-access-key-id> AWS_SECRET_ACCESS_KEY=<aws-secret-access-key1> aws --endpoint-url <mcg-sts-endpoint> sts assume-role --role-arn arn:aws:sts::<assumed-user-access-key-id>:role/<role-name> --role-session-name <role-session-name>
Note: Adding --no-verify-ssl might be necessary depending on the configuration of
the cluster.
The output contains the access key ID, secret access key, and session token that can be used for
running actions while assuming the other user’s role.
You can use the credentials generated after the assume role steps, as shown in the following
example:
AWS_ACCESS_KEY_ID=<aws-access-key-id> AWS_SECRET_ACCESS_KEY=<aws-secret-access-key1> AWS_SESSION_TOKEN=<session token> aws --endpoint-url <mcg-s3-endpoint> s3 ls