[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
Cyberduck
trac at cyberduck.io
Mon Mar 26 19:23:04 UTC 2018
#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
----------------------------+-------------------------
Reporter: tigris | Owner: dkocher
Type: feature | Status: assigned
Priority: low | Milestone:
Component: s3 | Version: 4.7
Severity: normal | Resolution:
Keywords: s3 iam sts | Architecture: Intel
Platform: Mac OS X 10.10 |
----------------------------+-------------------------
Comment (by jibi-waba):
If Cyberduck supported the use of aws_session_token from the credentials
file, then this would definitely be the route to take. However, using only
the aws_access_key_id and aws_secret_access_key from that file does not
allow authentication to the service. It needs a combination of all three
values. You may want to add support for the legacy variable name -
aws_security_token - which shares the same value as aws_session_token (at
least in our environment). The token information is generated via the STS
service when authenticating via SAML-based identity provider (whether that
is Okta or ADFS or Auth0 or other provider).
Here's a truncated profile in my credentials file:
[aws-account-name]
aws_access_key_id = ASIA...
aws_secret_access_key = ++LQV7...
aws_session_token = FQoDY...
aws_security_token = FQoDY...
last_updated = 2018-03-26T18:14:35Z
More information:
https://aws.amazon.com/blogs/security/a-new-and-standardized-way-to-
manage-credentials-in-the-aws-sdks/
--
Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:28>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list