[keycloak-user] S3_ping authentication problem

Hynek Mlnarik hmlnarik at redhat.com
Fri May 25 10:28:42 EDT 2018


You might be hitting this JGroups bug [1]. See Amazon documentation on S3
endpoints [2] for regions that support Version 2 signatures. Note that it
might be possible to use new NATIVE_S3_PING protocol but this one has not
yet been incorporated into Keycloak due to this WildFly issue [3]. As a
workaround, you might be able to use other discovery protocol, e.g.
JDBC_PING.

[1] https://issues.jboss.org/browse/JGRP-1914
[2] https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
[3] https://issues.jboss.org/browse/WFLY-8770

On Thu, May 17, 2018 at 10:44 PM, For Ever <forsudden at gmail.com> wrote:

> Hello Everyone:
>
>                   I'm trying to etup clustering with S3_ping.  I'm getting
> the below error message when starting up Keycloak in standalone clustered
> mode.
>
>
>
>
> NOTE:
>
>             I did a test as the user on my Linux node using awscli.  The
> username on the Linux box is the same as the IAM user in AWS.  I gave
> list,read and write permisison(Policy) for the user in IAM
>
> 20:37:04,480 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([
>     ("subsystem" => "jgroups"),
>     ("channel" => "ee")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"
> org.wildfly.clustering.jgroups.channel.ee" => "java.io.IOException: bucket
> 's3-ping-keycloak-sothebys-dev' could not be accessed (rsp=403
> (Forbidden).
> Maybe the bucket is owned by somebody else or the authentication failed
>     Caused by: java.io.IOException: bucket 's3-ping-keycloak-sothebys-dev'
> could not be accessed (rsp=403 (Forbidden). Maybe the bucket is owned by
> somebody else or the authentication failed"}}
>
>
>
>
> ###standaline-ha.xml snippet.
>
> <stack name="tcp">
>                     <transport type="TCP" socket-binding="jgroups-tcp"/>
>                     <socket-protocol type="MPING"
> socket-binding="jgroups-mping"/>
>                     <protocol type="MERGE3"/>
>                     <protocol type="S3_PING">
>                         <property name="access_key">
>                             blahblah
>                         </property>
>                         <property name="secret_access_key">
>                            blahblah
>                         </property>
>                         <property name="location">
>                            s3-ping-somebucket
>                         </property>
>                     </protocol>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek


More information about the keycloak-user mailing list