[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
Cyberduck
trac at cyberduck.io
Thu May 10 13:28:37 UTC 2018
#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
----------------------------+-------------------------
Reporter: tigris | Owner: dkocher
Type: feature | Status: assigned
Priority: high | Milestone: 7.0
Component: s3 | Version: 4.7
Severity: normal | Resolution:
Keywords: s3 iam sts mfa | Architecture: Intel
Platform: Mac OS X 10.10 |
----------------------------+-------------------------
Description changed by dkocher:
Old description:
> I am using amazon AssumeRole function to assume a role that can access an
> S3 bucket. This means to connect to S3, it needs more than just SecretKey
> and AccessKey, it also need SecurityToken or SessionToken which is an
> extremely large string.
>
> If you set these 3 things in your environment, you can use tools like
> awscli etc from command line. I would like to use cyberduck instead as it
> can thread nicely. But unfortunately cyberduck only supports IAM users
> and not roles.
>
> It does support roles from an EC2 instance, so I think it should be very
> easy to support from my own OSX laptop? I was thinking of just running a
> local proxy for 169.254.169.254 to fake the fact I am not running on EC2,
> but it seemed like overkill.
>
> I notice a few people are suggesting entry of the security token - but
> isn't that short-lived? Don't see how that's a stable configuration
> solution. When configuring AWS CLI for this, I'd have an entry for the
> master account, and then one entry for each assumed role, such as:
>
> [profile master]
> region = us-east-1
> output = json
>
> [profile security]
> role_arn = arn:aws:iam::999999999999:role/MyAccessRole
> source_profile = master
> region=eu-west-1
> output=json
>
> I think you need a way to collect and use this information, mainly the
> role_arn and reference to the source_profile.
New description:
I am using amazon AssumeRole function to assume a role that can access an
S3 bucket. This means to connect to S3, it needs more than just SecretKey
and AccessKey, it also need SecurityToken or SessionToken which is an
extremely large string.
If you set these 3 things in your environment, you can use tools like
awscli etc from command line. I would like to use cyberduck instead as it
can thread nicely. But unfortunately cyberduck only supports IAM users and
not roles.
It does support roles from an EC2 instance, so I think it should be very
easy to support from my own OSX laptop? I was thinking of just running a
local proxy for 169.254.169.254 to fake the fact I am not running on EC2,
but it seemed like overkill.
I notice a few people are suggesting entry of the security token - but
isn't that short-lived? Don't see how that's a stable configuration
solution. When configuring AWS CLI for this, I'd have an entry for the
master account, and then one entry for each assumed role, such as:
{{{
[profile master]
region = us-east-1
output = json
[profile security]
role_arn = arn:aws:iam::999999999999:role/MyAccessRole
source_profile = master
region=eu-west-1
output=json
}}}
I think you need a way to collect and use this information, mainly the
role_arn and reference to the source_profile.
--
--
Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:39>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list