# Rook-Ceph RGW S3 access (/docs/deployment/playbooks/rook-ceph-rgw-s3-access) This playbook validates that the Rook-Ceph RADOS Gateway accepts S3 requests from outside the cluster using the static access keys created at deployment time. Run it after a fresh deployment or after any change to the RGW configuration. > **Note** > The current deployment uses static RGW credentials. The STS / Keycloak-federated path is staged but disabled (`sts=false`). This procedure does not exercise the STS path. Prerequisites [#prerequisites] * `aws` CLI installed locally. * `jq` installed locally. * `kubectl` access to the cluster, with permission to read secrets in the `rook-ceph` namespace. * The RGW endpoint reachable from the workstation as `https://`. 1\. Export the static RGW credentials [#1-export-the-static-rgw-credentials] ```bash export RGW_URL="https://" export AWS_ACCESS_KEY_ID=$(kubectl -n rook-ceph get secret rook-ceph-rgw-bootstrap \ -o jsonpath='{.data.sts_client_access_key}' | base64 -d) export AWS_SECRET_ACCESS_KEY=$(kubectl -n rook-ceph get secret rook-ceph-rgw-bootstrap \ -o jsonpath='{.data.sts_client_secret}' | base64 -d) export AWS_DEFAULT_REGION="us-east-1" ``` 2\. Validate connectivity [#2-validate-connectivity] ```bash aws --endpoint-url "$RGW_URL" s3api list-buckets --no-paginate ``` A successful response returns the (possibly empty) list of buckets owned by the bootstrap user. 3\. Upload and download a test object [#3-upload-and-download-a-test-object] Create a bucket and upload a file: ```bash export BUCKET="rgw-static-test-$(date +%s)" printf 'hello rgw static\n' > /tmp/rgw-test.txt aws --endpoint-url "$RGW_URL" s3 mb "s3://$BUCKET" aws --endpoint-url "$RGW_URL" s3 cp /tmp/rgw-test.txt "s3://$BUCKET/rgw-test.txt" aws --endpoint-url "$RGW_URL" s3 ls "s3://$BUCKET/" ``` Download and verify: ```bash aws --endpoint-url "$RGW_URL" s3 cp "s3://$BUCKET/rgw-test.txt" /tmp/rgw-test-downloaded.txt cat /tmp/rgw-test-downloaded.txt ``` 4\. Clean up [#4-clean-up] ```bash aws --endpoint-url "$RGW_URL" s3 rm "s3://$BUCKET/rgw-test.txt" aws --endpoint-url "$RGW_URL" s3 rb "s3://$BUCKET" rm -f /tmp/rgw-test.txt /tmp/rgw-test-downloaded.txt ``` Optional: create an additional static RGW user [#optional-create-an-additional-static-rgw-user] If a dedicated user is needed instead of the bootstrap `sts-client` user, create it from inside the cluster with `radosgw-admin` and distribute the generated key and secret through the platform's standard secret distribution flow. Troubleshooting [#troubleshooting] * `503 Service Unavailable` on `list-buckets` — the RGW pod is not yet ready. Wait for the rollout to complete and confirm the pod is `Ready`. * `403 Forbidden` — the exported environment variables are missing or do not match a valid RGW user. Re-export them in the same shell. * AWS CLI parser errors (`NoneType` errors) — rerun with `--debug` and inspect the underlying RGW XML error code (`AccessDenied`, `InvalidAccessKeyId`, etc.). * TLS or endpoint errors — verify `RGW_URL` and that the certificate chain is trusted on the workstation. Related pages [#related-pages] * [Rook-Ceph component](/docs/runtime/components/rook-ceph)