[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
Cyberduck
trac at cyberduck.io
Thu May 10 13:08:23 UTC 2018
#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
----------------------------+-------------------------
Reporter: tigris | Owner: dkocher
Type: feature | Status: assigned
Priority: high | Milestone: 7.0
Component: s3 | Version: 4.7
Severity: normal | Resolution:
Keywords: s3 iam sts mfa | Architecture: Intel
Platform: Mac OS X 10.10 |
----------------------------+-------------------------
Comment (by mcnicr):
A typical use case we have is switching roles between accounts that
require MFA for the assume role to succeed. A sample of the type of
config file most users are using is adding the mfa_serial to the config
default profile and then referencing this in other profiles. This setup
is using a single sign-on account '00000000000' for user management for
passwords/access keys and MFA. Then the users will assume role into a
different account to access S3.
When accessing S3 the UI should allow the user to input the MFA token to
retrieve an sts:SessionToken which will carry the MFA characteristics
along to be used to get sts:AssumeRole credentials.
User Credentials -> Session Credentials with MFA -> Assume Role into
accounts with S3 data.
~user/.aws/config
{{{
[default]
region=us-east-1
output=json
mfa_serial=arn:aws:iam::000000000000:mfa/user at domain.com
[profile assumerole]
role_arn=arn:aws:iam::11111111111111:role/role1account1
source_profile=default
[profile assumerole2]
role_arn=arn:aws:iam::22222222222222:role/role2account2
source_profile=default
}}}
--
Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:37>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list