5 A role is similar to a user and has permission policies attached to it, that determine what a role can or can not do. A role can be assumed by any identity that needs it. If a user assumes a role, a set of dynamically created temporary credentials are returned to the user. A role can be used to delegate access to users, applications, services that do not have permissions to access some s3 resources.
7 The following radosgw-admin commands can be used to create/ delete/ update a role and permissions associated with a role.
12 To create a role, execute the following::
14 radosgw-admin role create --role-name={role-name} [--path=="{path to the role}"] [--assume-role-policy-doc={trust-policy-document}]
21 :Description: Name of the role.
26 :Description: Path to the role. The default value is a slash(/).
29 ``assume-role-policy-doc``
31 :Description: The trust relationship policy document that grants an entity permission to assume the role.
36 radosgw-admin role create --role-name=S3Access1 --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
38 .. code-block:: javascript
41 "id": "ca43045c-082c-491a-8af1-2eebca13deec",
43 "path": "/application_abc/component_xyz/",
44 "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
45 "create_date": "2018-10-17T10:18:29.116Z",
46 "max_session_duration": 3600,
47 "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
54 To delete a role, execute the following::
56 radosgw-admin role delete --role-name={role-name}
63 :Description: Name of the role.
68 radosgw-admin role delete --role-name=S3Access1
70 Note: A role can be deleted only when it doesn't have any permission policy attached to it.
75 To get information about a role, execute the following::
77 radosgw-admin role get --role-name={role-name}
84 :Description: Name of the role.
89 radosgw-admin role get --role-name=S3Access1
91 .. code-block:: javascript
94 "id": "ca43045c-082c-491a-8af1-2eebca13deec",
96 "path": "/application_abc/component_xyz/",
97 "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
98 "create_date": "2018-10-17T10:18:29.116Z",
99 "max_session_duration": 3600,
100 "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
107 To list roles with a specified path prefix, execute the following::
109 radosgw-admin role list [--path-prefix ={path prefix}]
116 :Description: Path prefix for filtering roles. If this is not specified, all roles are listed.
121 radosgw-admin role list --path-prefix="/application"
123 .. code-block:: javascript
127 "id": "3e1c0ff7-8f2b-456c-8fdf-20f428ba6a7f",
129 "path": "/application_abc/component_xyz/",
130 "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
131 "create_date": "2018-10-17T10:32:01.881Z",
132 "max_session_duration": 3600,
133 "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
138 Update Assume Role Policy Document of a role
139 --------------------------------------------
141 To modify a role's assume role policy document, execute the following::
143 radosgw-admin role modify --role-name={role-name} --assume-role-policy-doc={trust-policy-document}
150 :Description: Name of the role.
153 ``assume-role-policy-doc``
155 :Description: The trust relationship policy document that grants an entity permission to assume the role.
160 radosgw-admin role modify --role-name=S3Access1 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
162 .. code-block:: javascript
165 "id": "ca43045c-082c-491a-8af1-2eebca13deec",
167 "path": "/application_abc/component_xyz/",
168 "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
169 "create_date": "2018-10-17T10:18:29.116Z",
170 "max_session_duration": 3600,
171 "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER2\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
175 In the above example, we are modifying the Principal from TESTER to TESTER2 in its assume role policy document.
177 Add/ Update a Policy attached to a Role
178 ---------------------------------------
180 To add or update the inline policy attached to a role, execute the following::
182 radosgw-admin role policy put --role-name={role-name} --policy-name={policy-name} --policy-doc={permission-policy-doc}
189 :Description: Name of the role.
194 :Description: Name of the policy.
199 :Description: The Permission policy document.
204 radosgw-admin role-policy put --role-name=S3Access1 --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}
206 In the above example, we are attaching a policy 'Policy1' to role 'S3Access1', which allows all s3 actions on 'example_bucket'.
208 List Permission Policy Names attached to a Role
209 -----------------------------------------------
211 To list the names of permission policies attached to a role, execute the following::
213 radosgw-admin role policy get --role-name={role-name}
220 :Description: Name of the role.
225 radosgw-admin role-policy list --role-name=S3Access1
227 .. code-block:: javascript
234 Get Permission Policy attached to a Role
235 ----------------------------------------
237 To get a specific permission policy attached to a role, execute the following::
239 radosgw-admin role policy get --role-name={role-name} --policy-name={policy-name}
246 :Description: Name of the role.
251 :Description: Name of the policy.
256 radosgw-admin role-policy get --role-name=S3Access1 --policy-name=Policy1
258 .. code-block:: javascript
261 "Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":\"arn:aws:s3:::example_bucket\"}]}"
265 Delete Policy attached to a Role
266 --------------------------------
268 To delete permission policy attached to a role, execute the following::
270 radosgw-admin role policy delete --role-name={role-name} --policy-name={policy-name}
277 :Description: Name of the role.
282 :Description: Name of the policy.
287 radosgw-admin role-policy delete --role-name=S3Access1 --policy-name=Policy1
290 REST APIs for Manipulating a Role
291 =================================
293 In addition to the above radosgw-admin commands, the following REST APIs can be used for manipulating a role. For the request parameters and their explanations, refer to the sections above.
295 In order to invoke the REST admin APIs, a user with admin caps needs to be created.
297 .. code-block:: javascript
299 radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create
300 radosgw-admin caps add --uid="TESTER" --caps="roles=*"
307 POST "<hostname>?Action=CreateRole&RoleName=S3Access&Path=/application_abc/component_xyz/&AssumeRolePolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}"
312 <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
313 <name>S3Access</name>
314 <path>/application_abc/component_xyz/</path>
315 <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
316 <create_date>2018-10-23T07:43:42.811Z</create_date>
317 <max_session_duration>3600</max_session_duration>
318 <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
326 POST "<hostname>?Action=DeleteRole&RoleName=S3Access"
328 Note: A role can be deleted only when it doesn't have any permission policy attached to it.
334 POST "<hostname>?Action=GetRole&RoleName=S3Access"
339 <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
340 <name>S3Access</name>
341 <path>/application_abc/component_xyz/</path>
342 <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
343 <create_date>2018-10-23T07:43:42.811Z</create_date>
344 <max_session_duration>3600</max_session_duration>
345 <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
353 POST "<hostname>?Action=ListRoles&RoleName=S3Access&PathPrefix=/application"
358 <id>8f41f4e0-7094-4dc0-ac20-074a881ccbc5</id>
359 <name>S3Access</name>
360 <path>/application_abc/component_xyz/</path>
361 <arn>arn:aws:iam:::role/application_abc/component_xyz/S3Access</arn>
362 <create_date>2018-10-23T07:43:42.811Z</create_date>
363 <max_session_duration>3600</max_session_duration>
364 <assume_role_policy_document>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}</assume_role_policy_document>
368 Update Assume Role Policy Document
369 ----------------------------------
372 POST "<hostname>?Action=UpdateAssumeRolePolicy&RoleName=S3Access&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}"
374 Add/ Update a Policy attached to a Role
375 ---------------------------------------
378 POST "<hostname>?Action=PutRolePolicy&RoleName=S3Access&PolicyName=Policy1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:CreateBucket\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}"
380 List Permission Policy Names attached to a Role
381 -----------------------------------------------
384 POST "<hostname>?Action=ListRolePolicies&RoleName=S3Access"
389 <member>Policy1</member>
393 Get Permission Policy attached to a Role
394 ----------------------------------------
397 POST "<hostname>?Action=GetRolePolicy&RoleName=S3Access&PolicyName=Policy1"
401 <GetRolePolicyResult>
402 <PolicyName>Policy1</PolicyName>
403 <RoleName>S3Access</RoleName>
404 <Permission_policy>{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:CreateBucket"],"Resource":"arn:aws:s3:::example_bucket"}]}</Permission_policy>
405 </GetRolePolicyResult>
408 Delete Policy attached to a Role
409 --------------------------------
412 POST "<hostname>?Action=DeleteRolePolicy&RoleName=S3Access&PolicyName=Policy1"
416 A role can have multivalued tags attached to it. These tags can be passed in as part of CreateRole REST API also.
417 AWS does not support multi-valued role tags.
420 POST "<hostname>?Action=TagRole&RoleName=S3Access&Tags.member.1.Key=Department&Tags.member.1.Value=Engineering"
426 <RequestId>tx000000000000000000004-00611f337e-1027-default</RequestId>
433 Lists the tags attached to a role.
436 POST "<hostname>?Action=ListRoleTags&RoleName=S3Access"
440 <ListRoleTagsResponse>
444 <Key>Department</Key>
445 <Value>Engineering</Value>
448 </ListRoleTagsResult>
450 <RequestId>tx000000000000000000005-00611f337e-1027-default</RequestId>
452 </ListRoleTagsResponse>
456 Delete a tag/ tags attached to a role.
459 POST "<hostname>?Action=UntagRoles&RoleName=S3Access&TagKeys.member.1=Department"
465 <RequestId>tx000000000000000000007-00611f337e-1027-default</RequestId>
470 Sample code for tagging, listing tags and untagging a role
471 ----------------------------------------------------------
473 The following is sample code for adding tags to role, listing tags and untagging a role using boto3.
475 .. code-block:: python
479 access_key = 'TESTER'
480 secret_key = 'test123'
482 iam_client = boto3.client('iam',
483 aws_access_key_id=access_key,
484 aws_secret_access_key=secret_key,
485 endpoint_url='http://s3.us-east.localhost:8000',
489 policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/quickstart:sub\":\"user1\"}}}]}"
491 print ("\n Creating Role with tags\n")
493 {'Key':'Department','Value':'Engineering'}
495 role_response = iam_client.create_role(
496 AssumeRolePolicyDocument=policy_document,
502 print ("Adding tags to role\n")
503 response = iam_client.tag_role(
506 {'Key':'CostCenter','Value':'123456'}
509 print ("Listing role tags\n")
510 response = iam_client.list_role_tags(
514 print ("Untagging role\n")
515 response = iam_client.untag_role(