[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS

Cyberduck trac at cyberduck.io
Sun Jul 22 19:04:22 UTC 2018 

#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
----------------------------+-------------------------
 Reporter:  tigris          |         Owner:  dkocher
     Type:  feature         |        Status:  assigned
 Priority:  high            |     Milestone:  6.7.0
Component:  s3              |       Version:  4.7
 Severity:  normal          |    Resolution:
 Keywords:  s3 iam sts mfa  |  Architecture:  Intel
 Platform:  Mac OS X 10.10  |
----------------------------+-------------------------

Comment (by dkocher):

 We used the following steps to test our implementation.

 1. Create an IAM user `testuser`
 2. Create an IAM policy `userpolicy` with the following policy document:
 {{{
       {
         "Version": "2012­10­17",
         "Statement": [
           {
             "Effect": "Allow",
             "Action": "sts:AssumeRole",
             "Resource": "arn:aws:iam::123456789012:role/testrole",
             "Condition": {
               "Bool": {"aws:MultiFactorAuthPresent": true}
             }
 } ]
 }
 }}}
 3. Attach the “userpolicy” policy to the “testuser” user.
 4. Create an IAM role `testrole`, specifying `123456789012` as the account
 and electing to
 require MFA.
 5. Create an IAM policy `rolepolicy` with the following policy document:
 {{{
       {
         "Version": "2012­10­17",
         "Statement": [{
           "Effect": "Allow",
           "Action": "s3:*",
           "Resource": "*"
 }] }
 }}}
 6. Attach the `rolepolicy` policy to the `testrole` role.
 7. Generate an access key and secret for `testuser`
 8. Configure an MFA device for `testuser`

 9. Create a file `~/.aws/credentials` with the following contents
 (substituting where indicated):

 {{{
    [testuser]
    aws_access_key_id=<access key for testuser>
    aws_secret_access_key=<secret key for testuser>
    [testrole]
    role_arn=arn:aws:iam::123456789012:role/testrole
    source_profile=testuser
    mfa_serial=arn:aws:iam::123456789012:mfa/testuser
 }}}
 10. Install the S3 (Credentials from AWS Security Token Service) profile
 and configure a bookmark using the `testrole` profile by entering
 `testrole` in ‘’Profile Name’’.

--
Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:45>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list