Playbooks

Rook-Ceph RGW S3 access

Validate Rook-Ceph RGW S3 access from a workstation using the static bootstrap credentials.

Agentic Friendly

This playbook validates that the Rook-Ceph RADOS Gateway accepts S3 requests from outside the cluster using the static access keys created at deployment time. Run it after a fresh deployment or after any change to the RGW configuration.

Note The current deployment uses static RGW credentials. The STS / Keycloak-federated path is staged but disabled (sts=false). This procedure does not exercise the STS path.

Prerequisites

  • aws CLI installed locally.
  • jq installed locally.
  • kubectl access to the cluster, with permission to read secrets in the rook-ceph namespace.
  • The RGW endpoint reachable from the workstation as https://<ceph-s3-host>.

1. Export the static RGW credentials

export RGW_URL="https://<ceph-s3-host>"

export AWS_ACCESS_KEY_ID=$(kubectl -n rook-ceph get secret rook-ceph-rgw-bootstrap \
  -o jsonpath='{.data.sts_client_access_key}' | base64 -d)

export AWS_SECRET_ACCESS_KEY=$(kubectl -n rook-ceph get secret rook-ceph-rgw-bootstrap \
  -o jsonpath='{.data.sts_client_secret}' | base64 -d)

export AWS_DEFAULT_REGION="us-east-1"

2. Validate connectivity

aws --endpoint-url "$RGW_URL" s3api list-buckets --no-paginate

A successful response returns the (possibly empty) list of buckets owned by the bootstrap user.

3. Upload and download a test object

Create a bucket and upload a file:

export BUCKET="rgw-static-test-$(date +%s)"
printf 'hello rgw static\n' > /tmp/rgw-test.txt

aws --endpoint-url "$RGW_URL" s3 mb "s3://$BUCKET"
aws --endpoint-url "$RGW_URL" s3 cp /tmp/rgw-test.txt "s3://$BUCKET/rgw-test.txt"
aws --endpoint-url "$RGW_URL" s3 ls "s3://$BUCKET/"

Download and verify:

aws --endpoint-url "$RGW_URL" s3 cp "s3://$BUCKET/rgw-test.txt" /tmp/rgw-test-downloaded.txt
cat /tmp/rgw-test-downloaded.txt

4. Clean up

aws --endpoint-url "$RGW_URL" s3 rm "s3://$BUCKET/rgw-test.txt"
aws --endpoint-url "$RGW_URL" s3 rb "s3://$BUCKET"
rm -f /tmp/rgw-test.txt /tmp/rgw-test-downloaded.txt

Optional: create an additional static RGW user

If a dedicated user is needed instead of the bootstrap sts-client user, create it from inside the cluster with radosgw-admin and distribute the generated key and secret through the platform's standard secret distribution flow.

Troubleshooting

  • 503 Service Unavailable on list-buckets — the RGW pod is not yet ready. Wait for the rollout to complete and confirm the pod is Ready.
  • 403 Forbidden — the exported environment variables are missing or do not match a valid RGW user. Re-export them in the same shell.
  • AWS CLI parser errors (NoneType errors) — rerun with --debug and inspect the underlying RGW XML error code (AccessDenied, InvalidAccessKeyId, etc.).
  • TLS or endpoint errors — verify RGW_URL and that the certificate chain is trusted on the workstation.

Artifact Delivery with Harbor

How Harbor fits into the deployment flow as the reference artifact registry

On this page

Prerequisites1. Export the static RGW credentials2. Validate connectivity3. Upload and download a test object4. Clean upOptional: create an additional static RGW userTroubleshootingRelated pages