[ceph.git] / ceph / doc / radosgw / role.rst

======
 Role
======

A role is similar to a user and has permission policies attached to it, that determine what a role can or can not do. A role can be assumed by any identity that needs it. If a user assumes a role, a set of dynamically created temporary credentials are returned to the user. A role can be used to delegate access to users, applications, services that do not have permissions to access some s3 resources.

The following radosgw-admin commands can be used to create/ delete/ update a role and permissions associated with a role.

Create a Role
-------------

To create a role, execute the following::

	radosgw-admin role create --role-name={role-name} [--path=="{path to the role}"] [--assume-role-policy-doc={trust-policy-document}]

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

``path``

:Description: Path to the role. The default value is a slash(/).
:Type: String

``assume-role-policy-doc``

:Description: The trust relationship policy document that grants an entity permission to assume the role.
:Type: String

For example:: 	
	
  radosgw-admin role create --role-name=S3Access1 --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
  
.. code-block:: javascript
  
  {
    "id": "ca43045c-082c-491a-8af1-2eebca13deec",
    "name": "S3Access1",
    "path": "/application_abc/component_xyz/",
    "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
    "create_date": "2018-10-17T10:18:29.116Z",
    "max_session_duration": 3600,
    "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
  }


Delete a Role
-------------

To delete a role, execute the following::

	radosgw-admin role delete --role-name={role-name}

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

For example:: 	
	
  radosgw-admin role delete --role-name=S3Access1

Note: A role can be deleted only when it doesn't have any permission policy attached to it.

Get a Role
----------

To get information about a role, execute the following::

	radosgw-admin role get --role-name={role-name}

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

For example:: 	
	
  radosgw-admin role get --role-name=S3Access1
  
.. code-block:: javascript
  
  {
    "id": "ca43045c-082c-491a-8af1-2eebca13deec",
    "name": "S3Access1",
    "path": "/application_abc/component_xyz/",
    "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
    "create_date": "2018-10-17T10:18:29.116Z",
    "max_session_duration": 3600,
    "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
  }


List Roles
----------

To list roles with a specified path prefix, execute the following::

	radosgw-admin role list [--path-prefix ={path prefix}]

Request Parameters
~~~~~~~~~~~~~~~~~~

``path-prefix``

:Description: Path prefix for filtering roles. If this is not specified, all roles are listed.
:Type: String

For example:: 	
	
  radosgw-admin role list --path-prefix="/application"
  
.. code-block:: javascript
  
  [
    {
        "id": "3e1c0ff7-8f2b-456c-8fdf-20f428ba6a7f",
        "name": "S3Access1",
        "path": "/application_abc/component_xyz/",
        "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
        "create_date": "2018-10-17T10:32:01.881Z",
        "max_session_duration": 3600,
        "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
    }
  ]


Update Assume Role Policy Document of a role
--------------------------------------------

To modify a role's assume role policy document, execute the following::

	radosgw-admin role-trust-policy modify --role-name={role-name} --assume-role-policy-doc={trust-policy-document}

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

``assume-role-policy-doc``

:Description: The trust relationship policy document that grants an entity permission to assume the role.
:Type: String

For example::

  radosgw-admin role-trust-policy modify --role-name=S3Access1 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}

.. code-block:: javascript

  {
    "id": "ca43045c-082c-491a-8af1-2eebca13deec",
    "name": "S3Access1",
    "path": "/application_abc/component_xyz/",
    "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
    "create_date": "2018-10-17T10:18:29.116Z",
    "max_session_duration": 3600,
    "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER2\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
  }


In the above example, we are modifying the Principal from TESTER to TESTER2 in its assume role policy document.

Add/ Update a Policy attached to a Role
---------------------------------------

To add or update the inline policy attached to a role, execute the following::

	radosgw-admin role policy put --role-name={role-name} --policy-name={policy-name} --policy-doc={permission-policy-doc}

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

``policy-name``

:Description: Name of the policy.
:Type: String

``policy-doc``

:Description: The Permission policy document.
:Type: String

For example::

  radosgw-admin role-policy put --role-name=S3Access1 --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}

For passing ``policy-doc`` as a file::

  radosgw-admin role-policy put --role-name=S3Access1 --policy-name=Policy1 --infile policy-document.json

In the above example, we are attaching a policy 'Policy1' to role 'S3Access1', which allows all s3 actions on 'example_bucket'.

List Permission Policy Names attached to a Role
-----------------------------------------------

To list the names of permission policies attached to a role, execute the following::

	radosgw-admin role policy get --role-name={role-name}

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

For example::

  radosgw-admin role-policy list --role-name=S3Access1

.. code-block:: javascript

  [
    "Policy1"
  ]


Get Permission Policy attached to a Role
----------------------------------------

To get a specific permission policy attached to a role, execute the following::

	radosgw-admin role policy get --role-name={role-name} --policy-name={policy-name}

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

``policy-name``

:Description: Name of the policy.
:Type: String

For example::

  radosgw-admin role-policy get --role-name=S3Access1 --policy-name=Policy1

.. code-block:: javascript

  {
    "Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":\"arn:aws:s3:::example_bucket\"}]}"
  }


Delete Policy attached to a Role
--------------------------------

To delete permission policy attached to a role, execute the following::

	radosgw-admin role policy delete --role-name={role-name} --policy-name={policy-name}

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

``policy-name``

:Description: Name of the policy.
:Type: String

For example::

  radosgw-admin role-policy delete --role-name=S3Access1 --policy-name=Policy1


Update a role
-------------

To update a role's max-session-duration, execute the following::

	radosgw-admin role update --role-name={role-name} --max-session-duration={max-session-duration}

Request Parameters
~~~~~~~~~~~~~~~~~~

``role-name``

:Description: Name of the role.
:Type: String

``max-session-duration``

:Description: Maximum session duration for a role.
:Type: String

For example::

  radosgw-admin role update --role-name=S3Access1 --max-session-duration=43200

Note: This command currently can only be used to update max-session-duration.

REST APIs for Manipulating a Role
=================================

In addition to the above radosgw-admin commands, the following REST APIs can be used for manipulating a role. For the request parameters and their explanations, refer to the sections above.

In order to invoke the REST admin APIs, a user with admin caps needs to be created.

.. code-block:: javascript

  radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create
  radosgw-admin caps add --uid="TESTER" --caps="roles=*"


Create a Role
-------------

Example::
  POST "<hostname>?Action=CreateRole&RoleName=S3Access&Path=/application_abc/component_xyz/&AssumeRolePolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}"

.. code-block:: XML

  <role>
    <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
    <name>S3Access</name>
    <path>/application_abc/component_xyz/</path>
    <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
    <create_date>2018-10-23T07:43:42.811Z</create_date>
    <max_session_duration>3600</max_session_duration>
    <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
  </role>


Delete a Role
-------------

Example::
  POST "<hostname>?Action=DeleteRole&RoleName=S3Access"

Note: A role can be deleted only when it doesn't have any permission policy attached to it.

Get a Role
----------

Example::
  POST "<hostname>?Action=GetRole&RoleName=S3Access"

.. code-block:: XML

  <role>
    <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
    <name>S3Access</name>
    <path>/application_abc/component_xyz/</path>
    <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
    <create_date>2018-10-23T07:43:42.811Z</create_date>
    <max_session_duration>3600</max_session_duration>
    <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
  </role>


List Roles
----------

Example::
  POST "<hostname>?Action=ListRoles&RoleName=S3Access&PathPrefix=/application"

.. code-block:: XML

  <role>
    <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
    <name>S3Access</name>
    <path>/application_abc/component_xyz/</path>
    <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
    <create_date>2018-10-23T07:43:42.811Z</create_date>
    <max_session_duration>3600</max_session_duration>
    <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
  </role>


Update Assume Role Policy Document
----------------------------------

Example::
  POST "<hostname>?Action=UpdateAssumeRolePolicy&RoleName=S3Access&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}"

Add/ Update a Policy attached to a Role
---------------------------------------

Example::
  POST "<hostname>?Action=PutRolePolicy&RoleName=S3Access&PolicyName=Policy1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:CreateBucket\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}"

List Permission Policy Names attached to a Role
-----------------------------------------------

Example::
  POST "<hostname>?Action=ListRolePolicies&RoleName=S3Access"

.. code-block:: XML

  <PolicyNames>
    <member>Policy1</member>
  </PolicyNames>


Get Permission Policy attached to a Role
----------------------------------------

Example::
  POST "<hostname>?Action=GetRolePolicy&RoleName=S3Access&PolicyName=Policy1"

.. code-block:: XML

  <GetRolePolicyResult>
    <PolicyName>Policy1</PolicyName>
    <RoleName>S3Access</RoleName>
    <Permission_policy>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:CreateBucket"],"Resource":"arn:aws:s3:::example_bucket"}]}</Permission_policy>
  </GetRolePolicyResult>


Delete Policy attached to a Role
--------------------------------

Example::
  POST "<hostname>?Action=DeleteRolePolicy&RoleName=S3Access&PolicyName=Policy1"

Tag a role
----------
A role can have multivalued tags attached to it. These tags can be passed in as part of CreateRole REST API also.
AWS does not support multi-valued role tags.

Example::
  POST "<hostname>?Action=TagRole&RoleName=S3Access&Tags.member.1.Key=Department&Tags.member.1.Value=Engineering"

.. code-block:: XML

  <TagRoleResponse>
    <ResponseMetadata>
      <RequestId>tx000000000000000000004-00611f337e-1027-default</RequestId>
    </ResponseMetadata>
  </TagRoleResponse>


List role tags
--------------
Lists the tags attached to a role.

Example::
  POST "<hostname>?Action=ListRoleTags&RoleName=S3Access"

.. code-block:: XML

  <ListRoleTagsResponse>
    <ListRoleTagsResult>
      <Tags>
        <member>
          <Key>Department</Key>
          <Value>Engineering</Value>
        </member>
      </Tags>
    </ListRoleTagsResult>
    <ResponseMetadata>
      <RequestId>tx000000000000000000005-00611f337e-1027-default</RequestId>
    </ResponseMetadata>
  </ListRoleTagsResponse>

Delete role tags
----------------
Delete a tag/ tags attached to a role.

Example::
  POST "<hostname>?Action=UntagRoles&RoleName=S3Access&TagKeys.member.1=Department"

.. code-block:: XML

  <UntagRoleResponse>
    <ResponseMetadata>
      <RequestId>tx000000000000000000007-00611f337e-1027-default</RequestId>
    </ResponseMetadata>
  </UntagRoleResponse>

Update Role
-----------

Example::
  POST "<hostname>?Action=UpdateRole&RoleName=S3Access&MaxSessionDuration=43200"

.. code-block:: XML

  <UpdateRoleResponse>
    <UpdateRoleResult>
      <ResponseMetadata>
        <RequestId>tx000000000000000000007-00611f337e-1027-default</RequestId>
      </ResponseMetadata>
      </UpdateRoleResult>
  </UpdateRoleResponse>

Note: This API currently can only be used to update max-session-duration.

Sample code for tagging, listing tags and untagging a role
----------------------------------------------------------

The following is sample code for adding tags to role, listing tags and untagging a role using boto3.

.. code-block:: python

    import boto3

    access_key = 'TESTER'
    secret_key = 'test123'

    iam_client = boto3.client('iam',
    aws_access_key_id=access_key,
    aws_secret_access_key=secret_key,
    endpoint_url='http://s3.us-east.localhost:8000',
    region_name=''
    )

    policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/quickstart:sub\":\"user1\"}}}]}"

    print ("\n Creating Role with tags\n")
    tags_list = [
        {'Key':'Department','Value':'Engineering'}
    ]
    role_response = iam_client.create_role(
        AssumeRolePolicyDocument=policy_document,
        Path='/',
        RoleName='S3Access',
        Tags=tags_list,
    )

    print ("Adding tags to role\n")
    response = iam_client.tag_role(
                RoleName='S3Access',
                Tags= [
                        {'Key':'CostCenter','Value':'123456'}
                    ]
                )
    print ("Listing role tags\n")
    response = iam_client.list_role_tags(
                RoleName='S3Access'
                )
    print (response)
    print ("Untagging role\n")
    response = iam_client.untag_role(
        RoleName='S3Access',
        TagKeys=[
            'Department',
        ]
    )
Commit	Line	Data
11fdf7f2 TL	1	======
	2	Role
	3	======
	4
	5	A role is similar to a user and has permission policies attached to it, that determine what a role can or can not do. A role can be assumed by any identity that needs it. If a user assumes a role, a set of dynamically created temporary credentials are returned to the user. A role can be used to delegate access to users, applications, services that do not have permissions to access some s3 resources.
	6
20effc67	7	The following radosgw-admin commands can be used to create/ delete/ update a role and permissions associated with a role.
11fdf7f2 TL	8
	9	Create a Role
	10	-------------
	11
	12	To create a role, execute the following::
	13
	14	radosgw-admin role create --role-name={role-name} [--path=="{path to the role}"] [--assume-role-policy-doc={trust-policy-document}]
	15
	16	Request Parameters
	17	~~~~~~~~~~~~~~~~~~
	18
	19	``role-name``
	20
	21	:Description: Name of the role.
	22	:Type: String
	23
	24	``path``
	25
	26	:Description: Path to the role. The default value is a slash(/).
	27	:Type: String
	28
	29	``assume-role-policy-doc``
	30
	31	:Description: The trust relationship policy document that grants an entity permission to assume the role.
	32	:Type: String
	33
	34	For example::
	35
	36	radosgw-admin role create --role-name=S3Access1 --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
	37
	38	.. code-block:: javascript
	39
	40	{
	41	"id": "ca43045c-082c-491a-8af1-2eebca13deec",
	42	"name": "S3Access1",
	43	"path": "/application_abc/component_xyz/",
	44	"arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
	45	"create_date": "2018-10-17T10:18:29.116Z",
	46	"max_session_duration": 3600,
	47	"assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
	48	}
	49
	50
	51	Delete a Role
	52	-------------
	53
	54	To delete a role, execute the following::
	55
20effc67	56	radosgw-admin role delete --role-name={role-name}
11fdf7f2 TL	57
	58	Request Parameters
	59	~~~~~~~~~~~~~~~~~~
	60
	61	``role-name``
	62
	63	:Description: Name of the role.
	64	:Type: String
	65
	66	For example::
	67
20effc67	68	radosgw-admin role delete --role-name=S3Access1
11fdf7f2 TL	69
	70	Note: A role can be deleted only when it doesn't have any permission policy attached to it.
	71
	72	Get a Role
	73	----------
	74
	75	To get information about a role, execute the following::
	76
	77	radosgw-admin role get --role-name={role-name}
	78
	79	Request Parameters
	80	~~~~~~~~~~~~~~~~~~
	81
	82	``role-name``
	83
	84	:Description: Name of the role.
	85	:Type: String
	86
	87	For example::
	88
	89	radosgw-admin role get --role-name=S3Access1
	90
	91	.. code-block:: javascript
	92
	93	{
	94	"id": "ca43045c-082c-491a-8af1-2eebca13deec",
	95	"name": "S3Access1",
	96	"path": "/application_abc/component_xyz/",
	97	"arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
	98	"create_date": "2018-10-17T10:18:29.116Z",
	99	"max_session_duration": 3600,
	100	"assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
	101	}
	102
	103
	104	List Roles
	105	----------
	106
	107	To list roles with a specified path prefix, execute the following::
	108
	109	radosgw-admin role list [--path-prefix ={path prefix}]
	110
	111	Request Parameters
	112	~~~~~~~~~~~~~~~~~~
	113
	114	``path-prefix``
	115
	116	:Description: Path prefix for filtering roles. If this is not specified, all roles are listed.
	117	:Type: String
	118
	119	For example::
	120
	121	radosgw-admin role list --path-prefix="/application"
	122
	123	.. code-block:: javascript
	124
	125	[
	126	{
	127	"id": "3e1c0ff7-8f2b-456c-8fdf-20f428ba6a7f",
	128	"name": "S3Access1",
	129	"path": "/application_abc/component_xyz/",
	130	"arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
	131	"create_date": "2018-10-17T10:32:01.881Z",
	132	"max_session_duration": 3600,
133	"assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
134	}
135	]
136
137
138	Update Assume Role Policy Document of a role
139	--------------------------------------------
140
141	To modify a role's assume role policy document, execute the following::
142
1e59de90	143	radosgw-admin role-trust-policy modify --role-name={role-name} --assume-role-policy-doc={trust-policy-document}
11fdf7f2 TL	144
	145	Request Parameters
	146	~~~~~~~~~~~~~~~~~~
	147
	148	``role-name``
	149
	150	:Description: Name of the role.
	151	:Type: String
	152
	153	``assume-role-policy-doc``
	154
	155	:Description: The trust relationship policy document that grants an entity permission to assume the role.
	156	:Type: String
	157
	158	For example::
	159
1e59de90	160	radosgw-admin role-trust-policy modify --role-name=S3Access1 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
11fdf7f2 TL	161
	162	.. code-block:: javascript
	163
	164	{
	165	"id": "ca43045c-082c-491a-8af1-2eebca13deec",
	166	"name": "S3Access1",
	167	"path": "/application_abc/component_xyz/",
	168	"arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
	169	"create_date": "2018-10-17T10:18:29.116Z",
	170	"max_session_duration": 3600,
	171	"assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER2\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
	172	}
	173
	174
	175	In the above example, we are modifying the Principal from TESTER to TESTER2 in its assume role policy document.
	176
	177	Add/ Update a Policy attached to a Role
	178	---------------------------------------
	179
	180	To add or update the inline policy attached to a role, execute the following::
	181
	182	radosgw-admin role policy put --role-name={role-name} --policy-name={policy-name} --policy-doc={permission-policy-doc}
	183
	184	Request Parameters
	185	~~~~~~~~~~~~~~~~~~
	186
	187	``role-name``
	188
	189	:Description: Name of the role.
	190	:Type: String
	191
	192	``policy-name``
	193
	194	:Description: Name of the policy.
	195	:Type: String
	196
	197	``policy-doc``
	198
	199	:Description: The Permission policy document.
	200	:Type: String
	201
	202	For example::
	203
	204	radosgw-admin role-policy put --role-name=S3Access1 --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}
	205
1e59de90 TL	206	For passing ``policy-doc`` as a file::
	207
	208	radosgw-admin role-policy put --role-name=S3Access1 --policy-name=Policy1 --infile policy-document.json
	209
11fdf7f2 TL	210	In the above example, we are attaching a policy 'Policy1' to role 'S3Access1', which allows all s3 actions on 'example_bucket'.
	211
	212	List Permission Policy Names attached to a Role
	213	-----------------------------------------------
	214
	215	To list the names of permission policies attached to a role, execute the following::
	216
	217	radosgw-admin role policy get --role-name={role-name}
	218
	219	Request Parameters
	220	~~~~~~~~~~~~~~~~~~
	221
	222	``role-name``
	223
	224	:Description: Name of the role.
	225	:Type: String
	226
	227	For example::
	228
	229	radosgw-admin role-policy list --role-name=S3Access1
	230
	231	.. code-block:: javascript
	232
	233	[
	234	"Policy1"
	235	]
	236
	237
	238	Get Permission Policy attached to a Role
	239	----------------------------------------
	240
	241	To get a specific permission policy attached to a role, execute the following::
	242
	243	radosgw-admin role policy get --role-name={role-name} --policy-name={policy-name}
	244
	245	Request Parameters
	246	~~~~~~~~~~~~~~~~~~
	247
	248	``role-name``
	249
	250	:Description: Name of the role.
	251	:Type: String
	252
	253	``policy-name``
	254
	255	:Description: Name of the policy.
	256	:Type: String
	257
	258	For example::
	259
	260	radosgw-admin role-policy get --role-name=S3Access1 --policy-name=Policy1
	261
	262	.. code-block:: javascript
	263
	264	{
	265	"Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":\"arn:aws:s3:::example_bucket\"}]}"
	266	}
	267
	268
	269	Delete Policy attached to a Role
	270	--------------------------------
	271
	272	To delete permission policy attached to a role, execute the following::
	273
20effc67	274	radosgw-admin role policy delete --role-name={role-name} --policy-name={policy-name}
11fdf7f2 TL	275
	276	Request Parameters
	277	~~~~~~~~~~~~~~~~~~
	278
	279	``role-name``
	280
	281	:Description: Name of the role.
	282	:Type: String
	283
	284	``policy-name``
	285
	286	:Description: Name of the policy.
	287	:Type: String
	288
	289	For example::
	290
20effc67	291	radosgw-admin role-policy delete --role-name=S3Access1 --policy-name=Policy1
11fdf7f2 TL	292
11fdf7f2 TL	293
1e59de90 TL	294	Update a role
	295	-------------
	296
	297	To update a role's max-session-duration, execute the following::
	298
	299	radosgw-admin role update --role-name={role-name} --max-session-duration={max-session-duration}
	300
	301	Request Parameters
	302	~~~~~~~~~~~~~~~~~~
	303
	304	``role-name``
	305
	306	:Description: Name of the role.
	307	:Type: String
	308
	309	``max-session-duration``
	310
	311	:Description: Maximum session duration for a role.
	312	:Type: String
	313
	314	For example::
	315
	316	radosgw-admin role update --role-name=S3Access1 --max-session-duration=43200
	317
	318	Note: This command currently can only be used to update max-session-duration.
	319
11fdf7f2 TL	320	REST APIs for Manipulating a Role
	321	=================================
	322
	323	In addition to the above radosgw-admin commands, the following REST APIs can be used for manipulating a role. For the request parameters and their explanations, refer to the sections above.
	324
	325	In order to invoke the REST admin APIs, a user with admin caps needs to be created.
	326
	327	.. code-block:: javascript
	328
	329	radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create
	330	radosgw-admin caps add --uid="TESTER" --caps="roles=*"
	331
	332
	333	Create a Role
	334	-------------
	335
	336	Example::
	337	POST "<hostname>?Action=CreateRole&RoleName=S3Access&Path=/application_abc/component_xyz/&AssumeRolePolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}"
	338
	339	.. code-block:: XML
	340
	341	<role>
	342	<id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
	343	<name>S3Access</name>
	344	<path>/application_abc/component_xyz/</path>
	345	<arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
	346	<create_date>2018-10-23T07:43:42.811Z</create_date>
	347	<max_session_duration>3600</max_session_duration>
	348	<assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
	349	</role>
	350
	351
	352	Delete a Role
	353	-------------
	354
	355	Example::
	356	POST "<hostname>?Action=DeleteRole&RoleName=S3Access"
	357
	358	Note: A role can be deleted only when it doesn't have any permission policy attached to it.
	359
	360	Get a Role
	361	----------
	362
	363	Example::
	364	POST "<hostname>?Action=GetRole&RoleName=S3Access"
	365
	366	.. code-block:: XML
	367
	368	<role>
	369	<id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
	370	<name>S3Access</name>
	371	<path>/application_abc/component_xyz/</path>
	372	<arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
	373	<create_date>2018-10-23T07:43:42.811Z</create_date>
	374	<max_session_duration>3600</max_session_duration>
	375	<assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
	376	</role>
	377
	378
	379	List Roles
	380	----------
	381
	382	Example::
	383	POST "<hostname>?Action=ListRoles&RoleName=S3Access&PathPrefix=/application"
384
385	.. code-block:: XML
386
387	<role>
388	<id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
389	<name>S3Access</name>
390	<path>/application_abc/component_xyz/</path>
391	<arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
392	<create_date>2018-10-23T07:43:42.811Z</create_date>
393	<max_session_duration>3600</max_session_duration>
394	<assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
395	</role>
396
397
398	Update Assume Role Policy Document
399	----------------------------------
400
401	Example::
402	POST "<hostname>?Action=UpdateAssumeRolePolicy&RoleName=S3Access&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}"
403
404	Add/ Update a Policy attached to a Role
405	---------------------------------------
406
407	Example::
408	POST "<hostname>?Action=PutRolePolicy&RoleName=S3Access&PolicyName=Policy1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:CreateBucket\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}"
409
410	List Permission Policy Names attached to a Role
411	-----------------------------------------------
412
413	Example::
414	POST "<hostname>?Action=ListRolePolicies&RoleName=S3Access"
415
416	.. code-block:: XML
417
418	<PolicyNames>
419	<member>Policy1</member>
420	</PolicyNames>
421
422
423	Get Permission Policy attached to a Role
424	----------------------------------------
425
426	Example::
427	POST "<hostname>?Action=GetRolePolicy&RoleName=S3Access&PolicyName=Policy1"
428
429	.. code-block:: XML
430
431	<GetRolePolicyResult>
432	<PolicyName>Policy1</PolicyName>
433	<RoleName>S3Access</RoleName>
434	<Permission_policy>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:CreateBucket"],"Resource":"arn:aws:s3:::example_bucket"}]}</Permission_policy>
435	</GetRolePolicyResult>
436
437
438	Delete Policy attached to a Role
439	--------------------------------
440
441	Example::
20effc67 TL	442	POST "<hostname>?Action=DeleteRolePolicy&RoleName=S3Access&PolicyName=Policy1"
	443
	444	Tag a role
	445	----------
	446	A role can have multivalued tags attached to it. These tags can be passed in as part of CreateRole REST API also.
	447	AWS does not support multi-valued role tags.
	448
	449	Example::
	450	POST "<hostname>?Action=TagRole&RoleName=S3Access&Tags.member.1.Key=Department&Tags.member.1.Value=Engineering"
	451
	452	.. code-block:: XML
	453
	454	<TagRoleResponse>
	455	<ResponseMetadata>
	456	<RequestId>tx000000000000000000004-00611f337e-1027-default</RequestId>
	457	</ResponseMetadata>
	458	</TagRoleResponse>
	459
	460
	461	List role tags
	462	--------------
	463	Lists the tags attached to a role.
	464
	465	Example::
	466	POST "<hostname>?Action=ListRoleTags&RoleName=S3Access"
	467
	468	.. code-block:: XML
	469
	470	<ListRoleTagsResponse>
	471	<ListRoleTagsResult>
	472	<Tags>
	473	<member>
	474	<Key>Department</Key>
	475	<Value>Engineering</Value>
	476	</member>
	477	</Tags>
	478	</ListRoleTagsResult>
	479	<ResponseMetadata>
	480	<RequestId>tx000000000000000000005-00611f337e-1027-default</RequestId>
	481	</ResponseMetadata>
	482	</ListRoleTagsResponse>
	483
	484	Delete role tags
	485	----------------
	486	Delete a tag/ tags attached to a role.
	487
	488	Example::
	489	POST "<hostname>?Action=UntagRoles&RoleName=S3Access&TagKeys.member.1=Department"
	490
	491	.. code-block:: XML
	492
	493	<UntagRoleResponse>
	494	<ResponseMetadata>
	495	<RequestId>tx000000000000000000007-00611f337e-1027-default</RequestId>
	496	</ResponseMetadata>
	497	</UntagRoleResponse>
	498
1e59de90 TL	499	Update Role
	500	-----------
	501
	502	Example::
	503	POST "<hostname>?Action=UpdateRole&RoleName=S3Access&MaxSessionDuration=43200"
	504
	505	.. code-block:: XML
	506
	507	<UpdateRoleResponse>
	508	<UpdateRoleResult>
	509	<ResponseMetadata>
	510	<RequestId>tx000000000000000000007-00611f337e-1027-default</RequestId>
	511	</ResponseMetadata>
	512	</UpdateRoleResult>
	513	</UpdateRoleResponse>
	514
	515	Note: This API currently can only be used to update max-session-duration.
20effc67 TL	516
	517	Sample code for tagging, listing tags and untagging a role
	518	----------------------------------------------------------
	519
	520	The following is sample code for adding tags to role, listing tags and untagging a role using boto3.
	521
	522	.. code-block:: python
	523
	524	import boto3
	525
	526	access_key = 'TESTER'
	527	secret_key = 'test123'
	528
	529	iam_client = boto3.client('iam',
	530	aws_access_key_id=access_key,
	531	aws_secret_access_key=secret_key,
	532	endpoint_url='http://s3.us-east.localhost:8000',
	533	region_name=''
	534	)
	535
	536	policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/quickstart:sub\":\"user1\"}}}]}"
	537
	538	print ("\n Creating Role with tags\n")
	539	tags_list = [
	540	{'Key':'Department','Value':'Engineering'}
	541	]
	542	role_response = iam_client.create_role(
	543	AssumeRolePolicyDocument=policy_document,
	544	Path='/',
	545	RoleName='S3Access',
	546	Tags=tags_list,
	547	)
	548
	549	print ("Adding tags to role\n")
	550	response = iam_client.tag_role(
	551	RoleName='S3Access',
	552	Tags= [
	553	{'Key':'CostCenter','Value':'123456'}
	554	]
	555	)
	556	print ("Listing role tags\n")
	557	response = iam_client.list_role_tags(
	558	RoleName='S3Access'
	559	)
	560	print (response)
	561	print ("Untagging role\n")
	562	response = iam_client.untag_role(
	563	RoleName='S3Access',
	564	TagKeys=[
	565	'Department',
	566	]
	567	)
	568
	569
	570