[Cyberduck-trac] [Cyberduck] #8610: Support S3 authentication via IAM ROLE credentials
Cyberduck
trac at trac.cyberduck.io
Tue Feb 24 22:47:01 UTC 2015
#8610: Support S3 authentication via IAM ROLE credentials
----------------------------+---------------------
Reporter: ebekker | Owner: dkocher
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: s3 | Version:
Severity: normal | Keywords:
Architecture: | Platform:
----------------------------+---------------------
Would it be possible to add support for authentication to AWS S3 using
Access Key credentials that are derived from an IAM Role on an EC2
instance?
IAM Roles allow you to assign a set of permissions to a resource that is
actually deployed in the AWS environment. The way this is implemented is
that a set of credentials (Access Key + Secret Key + Session Token) are
dynamically assigned and rotated to a particular AWS resources, such as an
EC2 Instance.
The Access Key credentials can be retrieved on an EC2 instance by
accessing its own instance meta data via the URL:
{{{
http://169.254.169.254/latest/meta-data/iam/security-
credentials/THIS_IS_THE_ROLE_NAME
}}}
The last component of that URL path ({{{THIS_IS_THE_ROLE_NAME}}}) is
actually the name of the role assigned, but it is the only entry in that
path, so to get to it programmatically, you would need to call its parent
URL and find the only returned value in the response, and then retrieve
the target URL which contains the actual credentials.
The actual credentials returned look like the following JSON fragment:
{{{
{
"Code" : "Success",
"LastUpdated" : "2015-02-24T21:10:36Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "EQWFTCASIAJ3KZUVUTYA",
"SecretAccessKey" : "wli/Bu889nQjdRxpgF6QR3Hoqjz8Lou7pnoxBU/r",
"Token" :
"AQoDYXdzEN7//////////wEa0AMBFkIFLfF7oMkGW9MnnPwNuRNikTvwPiHCk+DOrQgIZ9/vas0tUoe35TPBbnMB6keqO0IZaFvwICaA4k83X+clJ3aRC+E26K6oC8H3LDTfEFWofnoxuPGCq8MKPdMJOz2URnwn0Mv5p4ecuxXmNJqD2pdh65xH7jtA4slK3ZyD6ggXvSSMzlq9VeVSTz39V57FZNRQ6u4JcjWv3gBqfrJyTY10uLP8N4xMO0M7uEU9hnXlwxbMKkm3arjjl81IVYTh4OIaju3NcCsBMnWqxetsZtCWG4+SZbT6RWKOZMD7r8joIsjomRIkuJDjSpVL/f3Xa1iphF+qOFVsYUav2XNQukvHcborOWy2CIDBnOsMrA67z8BVByZG6qLQBywsxTzYv/w+nEWkY1avVWAhcWeMxDrx3UYVtHLnObZUdhnEbeXrTgwbjXqYRFi4Pe8cnMNRQvcmh08MPGEiXLtqc7G0zIr8yWdl0Im5CK4OBSkPAzujkcnu6hjMAaVkuXu+OPU9Q/qV9mLx6C8+VhZ/udPY2537qCGL3H9/2LWaLO9uCrRYpx+f1es+idg12P+bO68aN0G6mzKDbGZsDjJqONt5622CYDZBWJumAlFQYmTcmSCX0bOnBQ==",
"Expiration" : "2015-02-25T03:16:33Z"
}
}}}
From this response you can get the following 3 components which are needed
to authenticate requests to the AWS S3 API:
* {{{AccessKeyId}}} - the Access Key
* {{{SecretAccessKey}}} - the Secret Key
* {{{Token}}} - the Session Token
You can also obtain the {{{LastUpdated}}} and {{{Expiration}}} components
which indicate when the credentials were last generated, as well as when
they will expire and be rotated once again.
For CyberDuck, the request I'm making is to add an option flag to the S3
connection settings to indicate the use of IAM Role credentials (similar
to the existing "Anonymous" flag). When set, CyberDuck would obtain the
current Role credentials as described above, and store them in the current
user session, and with every API call to S3, verify the creds are still
valid (by comparing current time against the expected Expiration time),
and use those creds to authenticate/authorize each API request.
This will allow CyberDuck to be used on an EC2 instance within AWS
assuming the IAM Role access policies.
--
Ticket URL: <https://trac.cyberduck.io/ticket/8610>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list