[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
Cyberduck
trac at cyberduck.io
Mon Mar 26 19:47:25 UTC 2018
#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
----------------------------+-------------------------
Reporter: tigris | Owner: dkocher
Type: feature | Status: assigned
Priority: low | Milestone:
Component: s3 | Version: 4.7
Severity: normal | Resolution:
Keywords: s3 iam sts | Architecture: Intel
Platform: Mac OS X 10.10 |
----------------------------+-------------------------
Comment (by mjcsb):
aws_session_token and aws_security_token are, I think, the wrong way to
fix this. That's not how AWS recommends you configure cross-account roles
in AWS CLI.
The original ticket description remains the correct approach, IMHO. The
IAM access code should look up a profile in ~/.aws/config - NOT - specify
secret/access keys explicitly. This profile may contain either the
secret/access keys needed, or it may contain a role_arn combined with a
reference to a source_profile. It is the combination of the source_profile
to get the secret/access key, with the role_arn to assume that role in
another account, which is needed to access the S3 bucket in the other
account.
I'm pretty sure all the code necessary to make this work is open source
and visible in the AWS CLI GitHub project, someone just needs to refactor
it to work here. Not sure why this is taking so long...
--
Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:29>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list