[Cyberduck-trac] [Cyberduck] #10432: The AWS Access Key Id you provided does not exist in our records error when using S3 STS Profile

Cyberduck trac at cyberduck.io
Tue Aug 14 10:19:34 UTC 2018


#10432: The AWS Access Key Id you provided does not exist in our records error when
using S3 STS Profile
-----------------------+-------------------------
    Reporter:  ekent   |      Owner:
        Type:  defect  |     Status:  new
    Priority:  normal  |  Milestone:
   Component:  core    |    Version:  6.7.0
    Severity:  normal  |   Keywords:
Architecture:          |   Platform:  macOS 10.12
-----------------------+-------------------------
 Since 6.7.0 there has been a functionality to use temporary credentials
 (session keys) for accessing S3.
 I've downloaded the correct STS S3 profile and filled out the bookmark
 correctly.
 I use a in house saml script to authenticate me and then create me an
 access key, secret key and session key, which are automatically put in the
 .aws/credentials file.
 If I use these credentials with the aws cli (for example aws --profile
 test s3 ls) it works without any issues.
 If I try to use Cyberduck however (specifying the same profile name) I get
 the following message:
 Cannot read bucket versioning status
 The AWS Access Key Id you provided does not exist in our records. Please
 contact your web hosting service provider for assistance.

 The profile in question has full S3 access, and so the message of cannot
 read bucket versioning status is wrong.

 The one thing I am questioning is - we use a AWS account to authenticate
 and then we assume cross account roles to access the other
 accounts/services. The profile (which is a role on a child account) works
 fine using the CLI. Is it possible that Cyberduck is ignoring the role and
 just trying to login to the authentication AWS account?

 Credentials file looks like the following:
 [default]
 aws_access_key_id = keyidhere
 aws_secret_access_key = keyhere
 aws_session_token = sessiontokenhere

 [profile testrole]
 role_arn = arn:aws:iam::account:role/testrole
 source_profile = default

 Log Drawer:
 {{{GET /?versioning HTTP/1.1
 Date: Tue, 14 Aug 2018 10:16:56 GMT
 x-amz-request-payer: requester
 x-amz-content-sha256:
 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 Host: redacted.s3.amazonaws.com
 x-amz-date: 20180814T101656Z
 Authorization: ********
 Connection: Keep-Alive
 User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.12.6) (x86_64)
 HTTP/1.1 403 Forbidden
 x-amz-request-id: 416DA0A1C78F8DED
 x-amz-id-2:
 WqSZzm4AZAmxLTim+sXL4AcaoI07aQZFrwoJwDecMbTO6DVYUQhF/qOWn2TKT2PFaZ0ynuikQeM=
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Date: Tue, 14 Aug 2018 10:16:46 GMT
 Server: AmazonS3}}}

 This is currently stopping our ability to use the product for its intended
 purpose.
 Any ideas?

--
Ticket URL: <https://trac.cyberduck.io/ticket/10432>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows


More information about the Cyberduck-trac mailing list