[Cyberduck-trac] [Cyberduck] #8610: Support S3 authentication via IAM ROLE credentials

Cyberduck trac at trac.cyberduck.io
Tue Feb 24 22:47:01 UTC 2015 

#8610: Support S3 authentication via IAM ROLE credentials
----------------------------+---------------------
    Reporter:  ebekker      |      Owner:  dkocher
        Type:  enhancement  |     Status:  new
    Priority:  normal       |  Milestone:
   Component:  s3           |    Version:
    Severity:  normal       |   Keywords:
Architecture:               |   Platform:
----------------------------+---------------------
 Would it be possible to add support for authentication to AWS S3 using
 Access Key credentials that are derived from an IAM Role on an EC2
 instance?

 IAM Roles allow you to assign a set of permissions to a resource that is
 actually deployed in the AWS environment.  The way this is implemented is
 that a set of credentials (Access Key + Secret Key + Session Token) are
 dynamically assigned and rotated to a particular AWS resources, such as an
 EC2 Instance.

 The Access Key credentials can be retrieved on an EC2 instance by
 accessing its own instance meta data via the URL:
 {{{
 http://169.254.169.254/latest/meta-data/iam/security-
 credentials/THIS_IS_THE_ROLE_NAME
 }}}

 The last component of that URL path ({{{THIS_IS_THE_ROLE_NAME}}}) is
 actually the name of the role assigned, but it is the only entry in that
 path, so to get to it programmatically, you would need to call its parent
 URL and find the only returned value in the response, and then retrieve
 the target URL which contains the actual credentials.

 The actual credentials returned look like the following JSON fragment:
 {{{
 {
   "Code" : "Success",
   "LastUpdated" : "2015-02-24T21:10:36Z",
   "Type" : "AWS-HMAC",
   "AccessKeyId" : "EQWFTCASIAJ3KZUVUTYA",
   "SecretAccessKey" : "wli/Bu889nQjdRxpgF6QR3Hoqjz8Lou7pnoxBU/r",
   "Token" :
 "AQoDYXdzEN7//////////wEa0AMBFkIFLfF7oMkGW9MnnPwNuRNikTvwPiHCk+DOrQgIZ9/vas0tUoe35TPBbnMB6keqO0IZaFvwICaA4k83X+clJ3aRC+E26K6oC8H3LDTfEFWofnoxuPGCq8MKPdMJOz2URnwn0Mv5p4ecuxXmNJqD2pdh65xH7jtA4slK3ZyD6ggXvSSMzlq9VeVSTz39V57FZNRQ6u4JcjWv3gBqfrJyTY10uLP8N4xMO0M7uEU9hnXlwxbMKkm3arjjl81IVYTh4OIaju3NcCsBMnWqxetsZtCWG4+SZbT6RWKOZMD7r8joIsjomRIkuJDjSpVL/f3Xa1iphF+qOFVsYUav2XNQukvHcborOWy2CIDBnOsMrA67z8BVByZG6qLQBywsxTzYv/w+nEWkY1avVWAhcWeMxDrx3UYVtHLnObZUdhnEbeXrTgwbjXqYRFi4Pe8cnMNRQvcmh08MPGEiXLtqc7G0zIr8yWdl0Im5CK4OBSkPAzujkcnu6hjMAaVkuXu+OPU9Q/qV9mLx6C8+VhZ/udPY2537qCGL3H9/2LWaLO9uCrRYpx+f1es+idg12P+bO68aN0G6mzKDbGZsDjJqONt5622CYDZBWJumAlFQYmTcmSCX0bOnBQ==",
   "Expiration" : "2015-02-25T03:16:33Z"
 }
 }}}

 From this response you can get the following 3 components which are needed
 to authenticate requests to the AWS S3 API:
 * {{{AccessKeyId}}} - the Access Key
 * {{{SecretAccessKey}}} - the Secret Key
 * {{{Token}}} - the Session Token

 You can also obtain the {{{LastUpdated}}} and {{{Expiration}}} components
 which indicate when the credentials were last generated, as well as when
 they will expire and be rotated once again.

 For CyberDuck, the request I'm making is to add an option flag to the S3
 connection settings to indicate the use of IAM Role credentials (similar
 to the existing "Anonymous" flag).  When set, CyberDuck would obtain the
 current Role credentials as described above, and store them in the current
 user session, and with every API call to S3, verify the creds are still
 valid (by comparing current time against the expected Expiration time),
 and use those creds to authenticate/authorize each API request.

 This will allow CyberDuck to be used on an EC2 instance within AWS
 assuming the IAM Role access policies.

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/8610>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list