Merge pull request #24847 from pritha-srivastava/wip-rgw-assume-role-doc

rgw: Improvements to STS Lite documentation.
ceph · Nov 7, 2018 · 59db1dc · 59db1dc
2 parents 0f9816f + d0acc30
commit 59db1dc
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/doc/radosgw/STSLite.rst b/doc/radosgw/STSLite.rst
@@ -31,8 +31,7 @@ Parameters:
     **SerialNumber** (String/ Optional): The Id number of the MFA device associated 
     with the user making the GetSessionToken call.
 
-    **TokenCode** (String/ Optional): The value provided by the MFA device, if the 
-    trust policy of the role being assumed requires MFA.
+    **TokenCode** (String/ Optional): The value provided by the MFA device, if MFA is required.
 
 
 2. AssumeRole: Returns a set of temporary credentials that can be used for 
@@ -160,6 +159,31 @@ Keystone.
                     created = bucket['CreationDate'],
     )
 
+4. The following is an example of AssumeRole API call:
+
+.. code-block:: python
+
+    import boto3
+
+    access_key = <ec2 access key>
+    secret_key = <ec2 secret key>
+
+    client = boto3.client('sts',
+    aws_access_key_id=access_key,
+    aws_secret_access_key=secret_key,
+    endpoint_url=<STS URL>,
+    region_name='',
+    )
+
+    response = client.assume_role(
+    RoleArn='arn:aws:iam:::role/application_abc/component_xyz/S3Access',
+    RoleSessionName='Bob',
+    DurationSeconds=3600
+    )
+
+
+Note: A role 'S3Access', needs to be created before calling the AssumeRole API.
+
 Limitations and Workarounds
 ===========================