Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 15. Using the Multicloud Object Gateway’s Security Token Service to assume the role of another user

Multicloud Object Gateway (MCG) provides support to a security token service (STS) similar to the one provided by Amazon Web Services.

To allow other users to assume the role of a certain user, you need to assign a role configuration to the user. You can manage the configuration of roles using the MCG CLI tool.

The following example shows role configuration that allows two MCG users (assumer@mcg.test and assumer2@mcg.test) to assume a certain user’s role: 

'{"role_name": "AllowTwoAssumers", "assume_role_policy": {"version": "2012-10-17", "statement": [ {"action": ["sts:AssumeRole"], "effect": "allow", "principal": ["assumer@mcg.test", "assumer2@mcg.test"]}]}}'
Copy to Clipboard Toggle word wrap

  1. Assign the role configuration by using the MCG CLI tool. 

    mcg sts assign-role --email <assumed user's username> --role_config '{"role_name": "AllowTwoAssumers", "assume_role_policy": {"version": "2012-10-17", "statement": [ {"action": ["sts:AssumeRole"], "effect": "allow", "principal": ["assumer@mcg.test", "assumer2@mcg.test"]}]}}'
    Copy to Clipboard Toggle word wrap

  2. Collect the following information before proceeding to assume the role as it is needed for the subsequent steps:

    • The access key ID and secret access key of the assumer (the user who assumes the role)

    • The MCG STS endpoint, which can be retrieved by using the command: 

      $ oc -n openshift-storage get route
      Copy to Clipboard Toggle word wrap
    • The access key ID of the assumed user.
    • The value of the role_name value in your role configuration.
    • A name of your choice for the role session
  3. After the configuration role is ready, assign it to the appropriate user (fill with the data described in the previous step) - 
AWS_ACCESS_KEY_ID=<aws-access-key-id> AWS_SECRET_ACCESS_KEY=<aws-secret-access-key1> aws --endpoint-url <mcg-sts-endpoint> sts assume-role --role-arn arn:aws:sts::<assumed-user-access-key-id>:role/<role-name> --role-session-name <role-session-name>
Copy to Clipboard Toggle word wrap
Note

Adding --no-verify-ssl might be necessary depending on your cluster’s configuration.

The resulting output contains the access key ID, secret access key, and session token that can be used for executing actions while assuming the other user’s role.

You can use the credentials generated after the assume role steps as shown in the following example: 

AWS_ACCESS_KEY_ID=<aws-access-key-id> AWS_SECRET_ACCESS_KEY=<aws-secret-access-key1> AWS_SESSION_TOKEN=<session token> aws --endpoint-url <mcg-s3-endpoint> s3 ls
Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat