[Cyberduck-trac] [Cyberduck] #10432: The AWS Access Key Id you provided does not exist in our records error when using S3 STS Profile
Cyberduck
trac at cyberduck.io
Tue Aug 14 10:19:34 UTC 2018
#10432: The AWS Access Key Id you provided does not exist in our records error when
using S3 STS Profile
-----------------------+-------------------------
Reporter: ekent | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: core | Version: 6.7.0
Severity: normal | Keywords:
Architecture: | Platform: macOS 10.12
-----------------------+-------------------------
Since 6.7.0 there has been a functionality to use temporary credentials
(session keys) for accessing S3.
I've downloaded the correct STS S3 profile and filled out the bookmark
correctly.
I use a in house saml script to authenticate me and then create me an
access key, secret key and session key, which are automatically put in the
.aws/credentials file.
If I use these credentials with the aws cli (for example aws --profile
test s3 ls) it works without any issues.
If I try to use Cyberduck however (specifying the same profile name) I get
the following message:
Cannot read bucket versioning status
The AWS Access Key Id you provided does not exist in our records. Please
contact your web hosting service provider for assistance.
The profile in question has full S3 access, and so the message of cannot
read bucket versioning status is wrong.
The one thing I am questioning is - we use a AWS account to authenticate
and then we assume cross account roles to access the other
accounts/services. The profile (which is a role on a child account) works
fine using the CLI. Is it possible that Cyberduck is ignoring the role and
just trying to login to the authentication AWS account?
Credentials file looks like the following:
[default]
aws_access_key_id = keyidhere
aws_secret_access_key = keyhere
aws_session_token = sessiontokenhere
[profile testrole]
role_arn = arn:aws:iam::account:role/testrole
source_profile = default
Log Drawer:
{{{GET /?versioning HTTP/1.1
Date: Tue, 14 Aug 2018 10:16:56 GMT
x-amz-request-payer: requester
x-amz-content-sha256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: redacted.s3.amazonaws.com
x-amz-date: 20180814T101656Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.12.6) (x86_64)
HTTP/1.1 403 Forbidden
x-amz-request-id: 416DA0A1C78F8DED
x-amz-id-2:
WqSZzm4AZAmxLTim+sXL4AcaoI07aQZFrwoJwDecMbTO6DVYUQhF/qOWn2TKT2PFaZ0ynuikQeM=
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 14 Aug 2018 10:16:46 GMT
Server: AmazonS3}}}
This is currently stopping our ability to use the product for its intended
purpose.
Any ideas?
--
Ticket URL: <https://trac.cyberduck.io/ticket/10432>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list