[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS

Cyberduck trac at cyberduck.io
Mon Mar 26 19:23:04 UTC 2018

#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
 Reporter:  tigris          |         Owner:  dkocher
     Type:  feature         |        Status:  assigned
 Priority:  low             |     Milestone:
Component:  s3              |       Version:  4.7
 Severity:  normal          |    Resolution:
 Keywords:  s3 iam sts      |  Architecture:  Intel
 Platform:  Mac OS X 10.10  |

Comment (by jibi-waba):

 If Cyberduck supported the use of aws_session_token from the credentials
 file, then this would definitely be the route to take. However, using only
 the aws_access_key_id and aws_secret_access_key from that file does not
 allow authentication to the service. It needs a combination of all three
 values. You may want to add support for the legacy variable name -
 aws_security_token - which shares the same value as aws_session_token (at
 least in our environment). The token information is generated via the STS
 service when authenticating via SAML-based identity provider (whether that
 is Okta or ADFS or Auth0 or other provider).

 Here's a truncated profile in my credentials file:

 aws_access_key_id = ASIA...
 aws_secret_access_key = ++LQV7...
 aws_session_token = FQoDY...
 aws_security_token = FQoDY...
 last_updated = 2018-03-26T18:14:35Z

 More information:

Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:28>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list