diff --git a/test/s3/iam/iam_config.json b/test/s3/iam/iam_config.json index 4c689cf11..5a078205e 100644 --- a/test/s3/iam/iam_config.json +++ b/test/s3/iam/iam_config.json @@ -46,6 +46,11 @@ "claim": "roles", "value": "s3-write-only", "role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole" + }, + { + "claim": "roles", + "value": "s3-read-write", + "role": "arn:seaweed:iam::role/KeycloakReadWriteRole" } ], "defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole" @@ -166,6 +171,25 @@ "attachedPolicies": ["S3WriteOnlyPolicy"], "description": "Write-only role for Keycloak users" } + , + { + "roleName": "KeycloakReadWriteRole", + "roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole", + "trustPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "keycloak" + }, + "Action": ["sts:AssumeRoleWithWebIdentity"] + } + ] + }, + "attachedPolicies": ["S3ReadWritePolicy"], + "description": "Read-write role for Keycloak users" + } ], "policies": [ { @@ -244,5 +268,29 @@ ] } } + , + { + "name": "S3ReadWritePolicy", + "document": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:seaweed:s3:::*", + "arn:seaweed:s3:::*/*" + ] + }, + { + "Effect": "Allow", + "Action": ["sts:ValidateSession"], + "Resource": ["*"] + } + ] + } + } ] } diff --git a/test/s3/iam/setup_keycloak.sh b/test/s3/iam/setup_keycloak.sh index 2adb26fbf..60073952a 100755 --- a/test/s3/iam/setup_keycloak.sh +++ b/test/s3/iam/setup_keycloak.sh @@ -272,6 +272,7 @@ main() { create_role "$ADMIN_TOKEN" "s3-admin" "SeaweedFS S3 Administrator" create_role "$ADMIN_TOKEN" "s3-read-only" "SeaweedFS S3 Read-Only User" create_role "$ADMIN_TOKEN" "s3-write-only" "SeaweedFS S3 Write-Only User" + create_role "$ADMIN_TOKEN" "s3-read-write" "SeaweedFS S3 Read-Write User" sleep 1 # Create test users