KeyCloak Integration: Difference between revisions

index.php?title=Category:Integration guide

Setup Steps

Keycloak is a Third party authentication and OpenID Connect provider that can be integrated with Ceph RADOS Gateway to provide access control for Ceph Object Storage. Once you have configured CephRGW to communicate with the Keycloak server, users will be able to use 'Access Tokens' from the Keycloak server to provide authentication VIA the CephRGW STS service. Access Tokens from Keycloak have timeout periods and are useful to provide temporary access to bucket resources in the Ceph object storage pool.

Dependencies

• Docker - server
• Python3 & boto3 (pip3 install) - client
• Ceph RADOS Gateway - client
• OpenSSL - client
• jq - for processing json data in scripts

Keycloak Server Installation

1. You will need to make sure that docker is installed and that you have downloaded the latest image of the Keycloak docker container (see Keycloak docker guide). Docker depends on drivers in newer kernels, so it is important to select an image that can run on your distribution. Run key cloak server docker image.

docker run -p 8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.1.4 start-dev

2. Login to the admin terminal (you can replace 'localhost' with the IP of the desired host if accessing remotely) via web browser as admin/admin and create a new realm. For this example the realm name is 'ceph-kc'. This is the realm defined by the ceph object storage pool realm/zone group.

3. Create a new client 'ceph-kc-client'. Use the following Settings:

4. Go to the the 'Credentials' tab and record the client secret to be used to acquire access tokens.

5. We are going to need a few scripts to acquire access tokens and inspect them. Scripts can be downloaded here. Note that for each script you will need to edit the Key Cloak (KC) server parameters. In this case the key cloak server is the local host, but you can run these commands on a remote KC server if desired.

The script below will provide a service account 'access_token'. To do this, service accounts must be enabled on the KeyCloak server. You can also create users on the KeyCloak server and use those credentials to generate account access_tokens:

#!/bin/bash
KC_REALM='<realm-name>'
KC_CLIENT='<client-id>'
KC_CLIENT_SECRET='<client-secret>'
KC_SERVER='<server-host>:<server-port>' 

# Request Tokens for credentials
KC_RESPONSE=$( \
curl -s -k -v -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "scope=openid" \
-d "grant_type=client_credentials" \
-d "client_id=$KC_CLIENT" \
-d "client_secret=$KC_CLIENT_SECRET" \
"http://$KC_SERVER/realms/$KC_REALM/protocol/openid-connect/token" 2>/dev/null\
| jq .
)

KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
#echo $KC_RESPONSE | jq .     # uncomment this line to print whole response.
echo $KC_ACCESS_TOKEN

# Example response :
#{
#  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfUjk0bEtWRUZsam1Rc19WRGlST25XS0JnWXJnOEExTXZWb0w3WWhIS19jIn0.eyJleHAiOjE2NDc5NjY4MjMsImlhdCI6MTY0Nzk2NjUyMywianRpIjoiNmU2NTNhNDctNmJlOS00NDlkLThkNmItN2NmNWUzMmYxYzc0IiwiaXNzIjoiaHR0cDovLzEwLjAuMjYuMTo4MDgwL2F1dGgvcmVhbG1zL2RlbW8iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNTA3NTE4ZjAtZDYzNi00Y2Q3LWExMjgtYTFjZjZlYjE4MGFmIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXljbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLWRlbW8iXX0sInJlc291cmNlX2FjY2VzcyI6eyJteWNsaWVudCI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjEwLjAuMjYuMTQwIiwiY2xpZW50SWQiOiJteWNsaWVudCIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1teWNsaWVudCIsImNsaWVudEFkZHJlc3MiOiIxMC4wLjI2LjE0MCJ9.N5uOlBPKd2KZ3bQAwpbhYxDzeK-AVmvytPcHEsRktKANE7xgtCxPzagneTh5nzcEFpsyTGKIJVFTIgs7DvNepnfw1UPn0khatEChNQ_B_HJF9-2WV-b8PdOEmxACLXlcKfV4N0dWfOytcbIqInfdQGdHD_z1TwPDTdb3iALcccTiaOLWHSNKZkLFNM-Tj7B2HCI6SyUtOFLtfOXutJd4vlhAc0vkRimLyb2zQyzLSIEUg4vCEk7vNeiTkqfMpEumnc62jnoMm5wjaA6SjQ9JOvDySvv_sGtq-cbTWG4tkJ0ASOQqQ8kKHXYN5WGICDf46o834CQjzozukD0V6DD_zQ",
#  "expires_in": 300,
#  "refresh_expires_in": 0,
#  "token_type": "Bearer",
#  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfUjk0bEtWRUZsam1Rc19WRGlST25XS0JnWXJnOEExTXZWb0w3WWhIS19jIn0.eyJleHAiOjE2NDc5NjY4MjMsImlhdCI6MTY0Nzk2NjUyMywiYXV0aF90aW1lIjowLCJqdGkiOiJkZjUyMzQwMS05NDkxLTQwZTctOWQzMC1hNDgxMzlmNDkzMzIiLCJpc3MiOiJodHRwOi8vMTAuMC4yNi4xOjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6Im15Y2xpZW50Iiwic3ViIjoiNTA3NTE4ZjAtZDYzNi00Y2Q3LWExMjgtYTFjZjZlYjE4MGFmIiwidHlwIjoiSUQiLCJhenAiOiJteWNsaWVudCIsImF0X2hhc2giOiIxU1FBMFlpUUQxbXFtQmV4aEU0VWNnIiwiYWNyIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjEwLjAuMjYuMTQwIiwiY2xpZW50SWQiOiJteWNsaWVudCIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1teWNsaWVudCIsImNsaWVudEFkZHJlc3MiOiIxMC4wLjI2LjE0MCJ9.I-tBqSvoP2lvP5ngUyfw7-0iBoZywl8x0i_XrrPI3Pony-cmuqmzgSTfmAtHCli7CKrbyw96xPPaina9S8DhmQxaZ7MGVderhs-WKq3h7FEQNXNY8sJcvolywSi9N7F1U_XtsUsn9BIy6J-3CJtK2VteRf6VSrvjXM7OJUKPE6eCjtxpL6GUJ7Kb7w9NhX6lNZMcDhXCri8qukjdn7wPuE_uP_UZFznzQYrZP738tilbRzOOGj0L1kTVy4lJeuakxyNINQsexWIgnHSw_O3sqBsCbvbrKbFJN4usYbxXVrAZXT1DWMZz4YI68kxtLQbsDpW2LaQMtW1R6f1IjyX-pA",
#  "not-before-policy": 0,
#  "scope": "openid email profile"
#}

Below is an example of a way to get access token and ID token using keycloak client-user credentials. You can set up a user through the key cloak server UI. An email and NON-TEMPORARY password need to be configured before you are able to get the access token using this method.

#!/bin/bash
KC_REALM='<realm-name>'
KC_USERNAME='<kc_username>'
KC_PASSWORD='<kc_password>'
KC_CLIENT='<client-id>'
KC_CLIENT_SECRET='<client-secret>'
KC_SERVER='<server-host>:<server-port>'

# Request Tokens for credentials
KC_RESPONSE=$( \
curl -k -v -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "scope=openid" \
-d "grant_type=password" \
-d "client_id=$KC_CLIENT" \
-d "client_secret=$KC_CLIENT_SECRET" \
-d "username=$KC_USERNAME" \
-d "password=$KC_PASSWORD" \
"http://$KC_SERVER/realms/$KC_REALM/protocol/openid-connect/token" 2>/dev/null\
| jq .
)

echo
#echo "Full token response:"
#echo $KC_RESPONSE | jq .


KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
echo "[access token]"
echo $KC_ACCESS_TOKEN

KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
echo "[id token]"
echo $KC_ID_TOKEN

You can inspect the access token using the introspection URL for the KeyCloak server:

#!/bin/bash
KC_REALM='<realm-name>'
KC_CLIENT='<client-id>'
KC_CLIENT_SECRET='<client-secret>'
KC_SERVER='<server-host>:<server-port>'
KC_ACCESS_TOKEN=<access_token_raw_data>

# using access token to verify against the introspection URL
curl -k -v \
-X POST \
-u "$KC_CLIENT:$KC_CLIENT_SECRET" \
-d "token=$KC_ACCESS_TOKEN" \
"http://$KC_SERVER/realms/$KC_REALM/protocol/openid-connect/token/introspect" 2>/dev/null \
| jq .

#{
#  "exp": 1647968025,
#  "iat": 1647967725,
#  "jti": "24737160-89ec-4eed-be21-76784c434abd",
#  "iss": "http://10.0.26.1:8080/auth/realms/demo",
#  "aud": "account",
#  "sub": "507518f0-d636-4cd7-a128-a1cf6eb180af",
#  "typ": "Bearer",
#  "azp": "myclient",
#  "preferred_username": "service-account-myclient",
#  "email_verified": false,
#  "acr": "1",
#  "realm_access": {
#    "roles": [
#      "offline_access",
#      "uma_authorization",
#      "default-roles-demo"
#    ]
#  },
#  "resource_access": {
#    "myclient": {
#      "roles": [
#        "uma_protection"
#      ]
#    },
#    "account": {
#      "roles": [
#        "manage-account",
#        "manage-account-links",
#        "view-profile"
#      ]
#    }
#  },
#  "scope": "openid email profile",
#  "clientHost": "10.0.26.140",
#  "clientId": "myclient",
#  "clientAddress": "10.0.26.140",
#  "client_id": "myclient",
#  "username": "service-account-myclient",
#  "active": true
#}

6. Configure OpenIDConnect provider on realm in the 'Identity Providers' section. Select 'KeyCloak OpenID Connect':

Configuring OIDC using the openid-configuration endpoint will fill in all of the well known URLs for the finished OIDC provider as shown below:

Once you are able to get the access token and configured the OIDC provider, you have successfully set up your KeyCloak server.

Ceph RADOSGW

1. Configure Ceph Object storage pool and 1 RADOS Gateway on cluster manager node (ceph_*_radosgw.pem can be found int the /etc/ceph directory).

2. Enable sts in gateway config (i.e. /etc/ceph/ceph.conf) Below is a sample configuration, add these lines:

[client.radosgw.gateway_name]
rgw sts key = abcdefghijklmnop 
rgw s3 auth use sts = true

RGW STS uses a 128 bit key (16 characters) to encrypt/decrypt tokens. It is suggested that you use a stronger key than the one provided in this example.

3. Create a 'TESTER' Ceph Bucket User and take down the secret and access key. This iam user will be used to create an open ID connect provider for your ceph cluster:

radosgw-admin --uid TESTUID1 --display-name "iam_user" --access_key TESTUID1 --secret test123 user create
radosgw-admin caps add --uid="TESTUID1" --caps="oidc-provider=*"
radosgw-admin caps add --uid="TESTUID1" --caps="roles=*"

We will also create another user 'TESTER1' to "AssumeRoleWithWebIdentity" as the STS client. This will give us temporary credentials we can use to do S3 operations using a role we will create later:

radosgw-admin --uid TESTUID2 --display-name "sts_client_user" --access_key TESTUID2 --secret test321 user create
radosgw-admin caps add --uid="TESTUID2" --caps="roles=*"

4. configure "aws configure" using the credentials created above, so we can verify oidc provider arns using the aws CLI:

root@terminal# aws configure
AWS Access Key ID [None]: TESTUID1
AWS Secret Access Key [None]: test123
Default region name [None]:
Default output format [None]: json

5. We can now use the AWS boto3 python library to create an OIDC provider, add some 'IAM' roles and policies, AssumeRoleWithIdentity using the RGW STS APIs, and make some s3 calls to RGW API:

import boto3

iam_client = boto3.client('iam',
aws_access_key_id=<access_key of TESTER>,
aws_secret_access_key=<secret_key of TESTER>,
endpoint_url=<rgw-endpoint>,
region_name=
)

oidc_response = iam_client.create_open_id_connect_provider(
    Url="http://<key-cloak-host>:8080/realms/<realm name>",  #<------ Realm endpoint
    ClientIDList=[
        <client name>
    ],
    ThumbprintList=[
        <Thumbprint of the IDP>
 ]
)

policy_document = '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":["arn:aws:iam:::oidc-provider/<key-cloak-host>:8080/realms/<realm name>"]},"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"<key-cloak-host>:8080/realms/<realm name>:app_id":"account"}}}]}'
role_response = iam_client.create_role(
AssumeRolePolicyDocument=policy_document,
Path='/',
RoleName='S3Access',
)

role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::*"}}'

response = iam_client.put_role_policy(
    RoleName='S3Access',
    PolicyName='Policy1',
    PolicyDocument=role_policy
)

sts_client = boto3.client('sts',
aws_access_key_id=<access_key of TESTER1>,
aws_secret_access_key=<secret_key of TESTER1>,
endpoint_url=<rgw-endpoint>,
region_name=,
)

response = sts_client.assume_role_with_web_identity(
RoleArn=role_response['Role']['Arn'],
RoleSessionName='Bob',
DurationSeconds=3600,
WebIdentityToken=<Web Token> #<---- you can modify this script to fetch a new web token each time it is ran
)

s3client = boto3.client('s3',
aws_access_key_id = response['Credentials']['AccessKeyId'],
aws_secret_access_key = response['Credentials']['SecretAccessKey'],
aws_session_token = response['Credentials']['SessionToken'],
endpoint_url=<S3 URL>,
region_name=<S3 region>,)

bucket_name = 'my-bucket'
s3bucket = s3client.create_bucket(Bucket=bucket_name)
resp = s3client.list_buckets()

During testing, this python3 code could be put in a try-except block as failed operations will throw. Make sure that the 'policy_document' conditional permission 'app_id':'<aud>' where the 'aud' value comes from inspecting the access_token. See github repo for more powerful helper scripts here.

7. To fill in this script you will need to get the cert thumbprint from the KeyCloak server. You can do so by running this bash script:

#!/bin/bash

# Returns configured URLs for the requested realm
curl -k -v \
     -X GET \
     -H "Content-Type: application/x-www-form-urlencoded" \
     "http://10.0.26.1:8080/auth/realms/demo/.well-known/openid-configuration" 2>/dev/null \
   | jq . | grep -i jwks_uri

# Use the 'jwks_uri' value from the response to get the certificate of the IDP (Below)

echo
echo
# Get the 'x5c' from this response to turn into an IDP-cert
KEY1_RESPONSE=$(curl -k -v \
     -X GET \
     -H "Content-Type: application/x-www-form-urlencoded" \
     "http://10.0.26.1:8080/auth/realms/demo/protocol/openid-connect/certs" 2>/dev/null \
     | jq -r .keys[0].x5c)

KEY2_RESPONSE=$(curl -k -v \
     -X GET \
     -H "Content-Type: application/x-www-form-urlencoded" \
     "http://10.0.26.1:8080/auth/realms/demo/protocol/openid-connect/certs" 2>/dev/null \
     | jq -r .keys[1].x5c)

echo
echo "Assembling Certificates...."

# Assemble Cert1
echo '-----BEGIN CERTIFICATE-----' > certificate1.crt
echo $(echo $KEY1_RESPONSE) | sed 's/^.//;s/.$//;s/^.//;s/.$//;s/^.//;s/.$//' >> certificate1.crt
echo '-----END CERTIFICATE-----' >> certificate1.crt
echo $(cat certificate1.crt)

# Assemble Cert2
echo '-----BEGIN CERTIFICATE-----' > certificate2.crt
echo $(echo $KEY2_RESPONSE) | sed 's/^.//;s/.$//;s/^.//;s/.$//;s/^.//;s/.$//' >> certificate2.crt
echo '-----END CERTIFICATE-----' >> certificate2.crt
echo $(cat certificate2.crt)

echo
echo "Generating thumbprints...."
# Create Thumbprint for both certs
PRETHUMBPRINT1=$(openssl x509 -in certificate1.crt -fingerprint -noout)
PRETHUMBPRINT2=$(openssl x509 -in certificate2.crt -fingerprint -noout)

PRETHUMBPRINT1=$(echo $PRETHUMBPRINT1 | awk '{ print substr($0, 18) }')
PRETHUMBPRINT2=$(echo $PRETHUMBPRINT2 | awk '{ print substr($0, 18) }')

echo "${PRETHUMBPRINT1//:}"
echo "${PRETHUMBPRINT2//:}"

#clean up the temp files
rm certificate1.crt
rm certificate2.crt

#[
#  {
#    "kid": "SkDALfA6N9sz2SRmxLUMPqhu0xdk6DpEW4PEV-L2tmA",
#    "kty": "RSA",
#    "alg": "RS256",
#    "use": "sig",
#    "n": "govdBOQ0T8Z1P3OxnlMASAPObpqRN3CLFxwhaokhplxWL20imwVlgLQXu41DpqJQ8U0cM8LxQ7NgYV-E1uJ_o_tq9loEBJqA2grIqVhfrk9fUF1iiVvxpn-gsHpFuW0_BGMzbFVwhKCuybJATAXwf6KxBxKswcP8y4mRw20uRxKX9iiWWOaNvRtVQsu6BN395HwdOIkE2408OdepDWHzPIUneS8-bzPTMgeoLxwV9tTNY6fkWhIdBNHJWGjdK2tyUfzICP7KK919zKqGpLP-f76uIq4GuxUsEwyF0FqrCjq_zD7q0c9iXOgVCIZO23mVl0HGi6wzX6ohNZS_pldGbw",
#    "e": "AQAB",
#    "x5c": [
#      "MIIClzCCAX8CBgF/dQ18xjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARkZW1vMB4XDTIyMDMxMDE4MTYzMloXDTMyMDMxMDE4MTgxMlowDzENMAsGA1UEAwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIKL3QTkNE/GdT9zsZ5TAEgDzm6akTdwixccIWqJIaZcVi9tIpsFZYC0F7uNQ6aiUPFNHDPC8UOzYGFfhNbif6P7avZaBASagNoKyKlYX65PX1BdYolb8aZ/oLB6RbltPwRjM2xVcISgrsmyQEwF8H+isQcSrMHD/MuJkcNtLkcSl/Yolljmjb0bVULLugTd/eR8HTiJBNuNPDnXqQ1h8zyFJ3kvPm8z0zIHqC8cFfbUzWOn5FoSHQTRyVho3StrclH8yAj+yivdfcyqhqSz/n++riKuBrsVLBMMhdBaqwo6v8w+6tHPYlzoFQiGTtt5lZdBxousM1+qITWUv6ZXRm8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKvrr/pT7JD/EHZWsiig6ciSed733FB/KHEtQbkWIp/ch45gsGVHHqGq911vk/26A8i6PFypWDsuoM0ocYwMDu0oZPX7f28jeEZC4bJNt4GNe13LMXGXaDcE+PvHgN3nR5u/PV1rT+8c+moCtEdC1uQJeVFYZMgz1DvUUZjhQBer0PXIUz4F8k3wCxl/WZGLen67iqnvJpTjXDJ7SHDXvQJ+BPrk6jTwMgY8Wm/ZO/rq063nOOWCLM781vMmR5eEtUsPjBXJrTVbvyymZL6n5govT/16fZu5Ht2ssZUFpa7hmj0MPU0ZgC2+46iltCpNIMsWlNyYBBp3mIKaUb6NB3g=="
#    ],
#    "x5t": "5D26lfwgKpdz8_VC8SzyqDH8em8",
#    "x5t#S256": "cxJdnE1jTyBQ3GV3EyB44tjUtw8hwMna1RS7nz3KcYM"
#  },
#  {
#    "kid": "LA2gYGbGTRP6LoDrOYSJrsKHk_dxNRxYyohN_4rzNGQ",
#    "kty": "RSA",
#    "alg": "RS256",
#    "use": "enc", <----- encryption cert usage?
#    "n": "jqDe1GRCScyfx9FqcriI3YiPNS1VNpQVAEPocBpY31vhXwty4L-2HxMCBpNJTNxzHoLhqvZmxfDQ8XogEklIjaCBXmhcHxpTS8HwN7HrhRqxoH52TwCNec8BimMUPwgn-oVSvhP5eRoCbZYZocMR-Y8n562dI3wfMt7ajwd8G-hNSxUOfF756PJlwZTDlGBUOfIUHJezhSONF817eKYEBmMAUhUZZIw2AMJlwZxezvd4V_cB9QSeNq2GT3FQVeYY3qJV0Fj3UUK7YWlk3bgYdrraZyouVP6y558rBXqo57-PjZobQQrnl0gJMe2OPl3-FSccqy5VppoLCzHIxxfrOQ",
#    "e": "AQAB",
#    "x5c": [
#      "MIIClzCCAX8CBgF/dQ190DANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARkZW1vMB4XDTIyMDMxMDE4MTYzMloXDTMyMDMxMDE4MTgxMlowDzENMAsGA1UEAwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI6g3tRkQknMn8fRanK4iN2IjzUtVTaUFQBD6HAaWN9b4V8LcuC/th8TAgaTSUzccx6C4ar2ZsXw0PF6IBJJSI2ggV5oXB8aU0vB8Dex64UasaB+dk8AjXnPAYpjFD8IJ/qFUr4T+XkaAm2WGaHDEfmPJ+etnSN8HzLe2o8HfBvoTUsVDnxe+ejyZcGUw5RgVDnyFByXs4UjjRfNe3imBAZjAFIVGWSMNgDCZcGcXs73eFf3AfUEnjathk9xUFXmGN6iVdBY91FCu2FpZN24GHa62mcqLlT+suefKwV6qOe/j42aG0EK55dICTHtjj5d/hUnHKsuVaaaCwsxyMcX6zkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAahRWXkRqoapA3IJTPbwqFp97HbaDxu/NdrNwQwEWOVZB2Dw1PvQoFsX3a8sTIFORt7VJNacJ9kPmQhZO7AWpdSIuaLlMR9MD3ifDFGxxL3B4SJX/sKywPWwZn3KkK6KV1Scm+oPkbumKBdsBV15zFJltxiMdLGksNx+h7ZnU9uw7tBz6HcAIB3pY22hCaGO/5/qM7o8KHtu3tDlKmrgQ0m3B3ChWPekjQf9GknRksTAV92meoGv9Rw5HXyFbCW0ZXs1d5tN+gb8YA1StErJD1cY+7sqWxsar1aIrBr8O7zR6qFzsznJVeHbfS92khpWtpBU0YEvo/Rr3A1WIGQkCqA=="
#    ],
#    "x5t": "zg4GIG9vVnDivHJb0VV9F3s3CL8",
#    "x5t#S256": "aJjXaMeHMJ9mfyYR05Qg79R4r3J4keHp5GIwt-34zzs"
#  }
#]

8. Once you have filled in the test script, run it. You should successfully create 'my-bucket' in your ceph object storage.
9. Verify the creation of the open-id-connect-provider using the aws CLI:

aws --endpoint=<rgw-endpoint> iam list-open-id-connect-providers --region=""
aws --endpoint=<rgw-endpoint> iam get-open-id-connect-provider --open-id-connect-provider-arn="arn:aws:iam:::oidc-provider/<key-cloak-host>:8080/auth/realms/demo" --region=""
aws --endpoint=<rgw-endpoint> iam list-roles --region=""

You can verify bucket creation using this command:

radosgw-admin buckets list

Legacy Client Setup (15.0.2)

3. Create a new client 'ceph-rgw-client'. Use the following Settings:

4. Go to the the 'Credentials' tab and record the client secret to be used to acquire access tokens.