[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS

Cyberduck trac at cyberduck.io
Thu May 10 13:08:23 UTC 2018

#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
 Reporter:  tigris          |         Owner:  dkocher
     Type:  feature         |        Status:  assigned
 Priority:  high            |     Milestone:  7.0
Component:  s3              |       Version:  4.7
 Severity:  normal          |    Resolution:
 Keywords:  s3 iam sts mfa  |  Architecture:  Intel
 Platform:  Mac OS X 10.10  |

Comment (by mcnicr):

 A typical use case we have is switching roles between accounts that
 require MFA for the assume role to succeed.  A sample of the type of
 config file most users are using is adding the mfa_serial to the config
 default profile and then referencing this in other profiles.   This setup
 is using a single sign-on account '00000000000' for user management for
 passwords/access keys and MFA.  Then the users will assume role into a
 different account to access S3.

 When accessing S3 the UI should allow the user to input the MFA token to
 retrieve an sts:SessionToken which will carry the MFA characteristics
 along to be used to get sts:AssumeRole credentials.

 User Credentials -> Session Credentials with MFA -> Assume Role into
 accounts with S3 data.

 mfa_serial=arn:aws:iam::000000000000:mfa/user at domain.com
 [profile assumerole]
 [profile assumerole2]

Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:37>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list