[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS

Cyberduck trac at cyberduck.io
Mon Mar 26 19:47:25 UTC 2018

#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
 Reporter:  tigris          |         Owner:  dkocher
     Type:  feature         |        Status:  assigned
 Priority:  low             |     Milestone:
Component:  s3              |       Version:  4.7
 Severity:  normal          |    Resolution:
 Keywords:  s3 iam sts      |  Architecture:  Intel
 Platform:  Mac OS X 10.10  |

Comment (by mjcsb):

 aws_session_token and aws_security_token are, I think, the wrong way to
 fix this. That's not how AWS recommends you configure cross-account roles
 in AWS CLI.

 The original ticket description remains the correct approach, IMHO. The
 IAM access code should look up a profile in ~/.aws/config - NOT - specify
 secret/access keys explicitly. This profile may contain either the
 secret/access keys needed, or it may contain a role_arn combined with a
 reference to a source_profile. It is the combination of the source_profile
 to get the secret/access key, with the role_arn to assume that role in
 another account, which is needed to access the S3 bucket in the other

 I'm pretty sure all the code necessary to make this work is open source
 and visible in the AWS CLI GitHub project, someone just needs to refactor
 it to work here. Not sure why this is taking so long...

Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:29>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list