[Ceph Rados Gateway] 403 when using S3 client

Taltavull Jean-François jean-francois.taltavull at elca.ch
Wed Mar 30 09:01:30 UTC 2022

Hi Jonathan,

The keystone URL is correct. HAProxy has been configured to handle this kind or URL.

And everything works fine with the openstack client.

From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk>
Sent: mercredi, 30 mars 2022 10:44
To: openstack-discuss at lists.openstack.org
Subject: Re: [Ceph Rados Gateway] 403 when using S3 client

EXTERNAL MESSAGE - This email comes from outside ELCA companies.

Hi Jean-Francois.

I have the following difference to your config:

rgw keystone url = http://xx.xx.xx.xx:5000

The normal OSA loadbalancer setup would have the keystone service on port 5000.

On 30/03/2022 09:24, Taltavull Jean-François wrote:
Hi Dmitriy,

I just tried with s3cmd but I still get a 403.

Here is the rgw section of ceph.conf:

rgw_keystone_url = http://xxxxx.xxxx.xxx/identity
rgw_keystone_api_version = 3
rgw_keystone_admin_user = radosgw
rgw_keystone_admin_password = xxxxxxxxxxxxxxxxxxxxxxxxx
rgw_keystone_admin_project = service
rgw_keystone_admin_domain = default
rgw_keystone_accepted_roles = member, _member_, admin, swiftoperator
rgw_keystone_accepted_admin_roles = ResellerAdmin
rgw_keystone_implicit_tenants = true
rgw_swift_account_in_url = true
rgw_swift_versioning_enabled = true
rgw_enable_apis = swift,s3
rgw_s3_auth_use_keystone = true

From: Dmitriy Rabotyagov <noonedeadpunk at ya.ru><mailto:noonedeadpunk at ya.ru>
Sent: mardi, 29 mars 2022 18:49
To: openstack-discuss <openstack-discuss at lists.openstack.org><mailto:openstack-discuss at lists.openstack.org>
Subject: Re: [Ceph Rados Gateway] 403 when using S3 client

EXTERNAL MESSAGE - This email comes from outside ELCA companies.

- все

Hi Jean-Francois.

It's quite hard to understand what exactly could went wrong based on the information you've provided.
Highly likely it's related to the RGW configuration itself and it's integration with keystone to be specific.

Would be helpful if you could provide your ceph.conf regarding rgw configuration.

I'm also not 100% sure if awscli does work with RGW... At least I always used s3cmd or rclone to interact with RGW S3 API.

29.03.2022, 16:36, "Taltavull Jean-François" <jean-francois.taltavull at elca.ch<mailto:jean-francois.taltavull at elca.ch>>:

Hi All,

I get an http 403 error code when I try to get the bucket list with Ubuntu (Focal) S3 client (awscli).

S3 api has been activated in radosgw config file and EC2 credentials have been created and put in S3 client config file.

Otherwise, everything is working fine with OpenStack client.

My deployment:
- OSA 23.2.0
- OpenStack Wallaby
- Ceph and Rados GW Octopus

Has any of you already experienced this kind of behaviour ?

Many thanks,

Kind Regards,
Dmitriy Rabotyagov

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220330/3e0726e5/attachment-0001.htm>

More information about the openstack-discuss mailing list