[Cyberduck-trac] [Cyberduck] #10432: 403 Forbidden for requesting credentials from role based profile

Cyberduck trac at cyberduck.io
Tue Aug 21 12:22:56 UTC 2018


#10432: 403 Forbidden for requesting credentials from role based profile
-------------------------+------------------------
 Reporter:  ekent        |         Owner:  dkocher
     Type:  defect       |        Status:  new
 Priority:  normal       |     Milestone:
Component:  s3           |       Version:  6.7.0
 Severity:  normal       |    Resolution:
 Keywords:               |  Architecture:
 Platform:  macOS 10.12  |
-------------------------+------------------------

Comment (by dkocher):

 Cross account/role based access should work. Not sure if I can follow but
 I want to clarify what we attempt in the different configuration
 deployment scenarios:
  * If a role based profile is found (with `role_arn`), we will issue a
 `AssumeRoleRequest`request to STS to obtain credentials.
  * For basic profiles we read `aws_access_key_id`, `aws_secret_access_key`
 and `aws_session_token` and authenticate *without* STS.
  * For basic profiles with no `aws_session_token` but `Token Configurable`
 set in the connection profile we obtain the credentials using a
 `GetSessionTokenRequest` from STS (we do not currently advertise such a
 profile on [https://cyberduck.io/s3/])

--
Ticket URL: <https://trac.cyberduck.io/ticket/10432#comment:13>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows


More information about the Cyberduck-trac mailing list