[keycloak-user] S3_ping authentication problem
Hynek Mlnarik
hmlnarik at redhat.com
Fri May 25 10:28:42 EDT 2018
You might be hitting this JGroups bug [1]. See Amazon documentation on S3
endpoints [2] for regions that support Version 2 signatures. Note that it
might be possible to use new NATIVE_S3_PING protocol but this one has not
yet been incorporated into Keycloak due to this WildFly issue [3]. As a
workaround, you might be able to use other discovery protocol, e.g.
JDBC_PING.
[1] https://issues.jboss.org/browse/JGRP-1914
[2] https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
[3] https://issues.jboss.org/browse/WFLY-8770
On Thu, May 17, 2018 at 10:44 PM, For Ever <forsudden at gmail.com> wrote:
> Hello Everyone:
>
> I'm trying to etup clustering with S3_ping. I'm getting
> the below error message when starting up Keycloak in standalone clustered
> mode.
>
>
>
>
> NOTE:
>
> I did a test as the user on my Linux node using awscli. The
> username on the Linux box is the same as the IAM user in AWS. I gave
> list,read and write permisison(Policy) for the user in IAM
>
> 20:37:04,480 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([
> ("subsystem" => "jgroups"),
> ("channel" => "ee")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"
> org.wildfly.clustering.jgroups.channel.ee" => "java.io.IOException: bucket
> 's3-ping-keycloak-sothebys-dev' could not be accessed (rsp=403
> (Forbidden).
> Maybe the bucket is owned by somebody else or the authentication failed
> Caused by: java.io.IOException: bucket 's3-ping-keycloak-sothebys-dev'
> could not be accessed (rsp=403 (Forbidden). Maybe the bucket is owned by
> somebody else or the authentication failed"}}
>
>
>
>
> ###standaline-ha.xml snippet.
>
> <stack name="tcp">
> <transport type="TCP" socket-binding="jgroups-tcp"/>
> <socket-protocol type="MPING"
> socket-binding="jgroups-mping"/>
> <protocol type="MERGE3"/>
> <protocol type="S3_PING">
> <property name="access_key">
> blahblah
> </property>
> <property name="secret_access_key">
> blahblah
> </property>
> <property name="location">
> s3-ping-somebucket
> </property>
> </protocol>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
--Hynek
More information about the keycloak-user
mailing list