[Cyberduck-trac] [Cyberduck] #8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS

Cyberduck trac at cyberduck.io
Sat Feb 2 21:35:14 UTC 2019 

#8880: Authentication using AWS AssumeRole and GetSessionToken with AWS STS
----------------------------+------------------------
 Reporter:  tigris          |         Owner:  dkocher
     Type:  feature         |        Status:  closed
 Priority:  high            |     Milestone:  6.7.0
Component:  s3              |       Version:  4.7
 Severity:  normal          |    Resolution:  fixed
 Keywords:  s3 iam sts mfa  |  Architecture:  Intel
 Platform:  Mac OS X 10.10  |
----------------------------+------------------------

Comment (by cduser):

 Replying to [comment:59 dkocher]:
 > Replying to [comment:56 cduser]:
 > > This credentials file configuration (previously mentioned by dt001)
 works perfectly with commercial S3 regions (server: s3.amazonaws.com,
 region: us-west-1) but not with AWS GovCloud (server: s3-us-gov-
 west-1.amazonaws.com, region: us-gov-west-1). I'm using s3-us-gov-
 west-1.amazonaws.com as the "Server" and cyberduck gets into a loop where
 it says "Authenticating as publish_profile" followed by "Login failed". I
 am using version 6.9.3. Any ideas?
 > >
 > > {{{
 > > [publish_profile]
 > > output = json
 > > region = us-gov-west-1
 > > aws_access_key_id = AAAAAAAAAAAAAAAAAAAA
 > > aws_secret_access_key = KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
 > > aws_session_token =
 SSSSSSSSSSS//////////SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS=
 > > }}}
 >
 > Can you confirm you use the ''AWS GovCloud connection profile'' from
 [https://cyberduck.io/s3/]. Please open a new ticket if the issue
 persists.

 Hi dkocher,

 I tried using the AWS GovCloud connection profile
 (https://svn.cyberduck.io/trunk/profiles/S3%20Gov%20Cloud.cyberduckprofile).
 The problem is that this profile doesn't seem to have the option to use
 ''S3(Credentials from AWS Security Token Service)''. It seems like to use
 a temporary token I need to use this other profile
 (https://svn.cyberduck.io/trunk/profiles/S3%20(Credentials%20from%20AWS%20Security%20Token%20Service).cyberduckprofile).
 I tried adding the following config to the ''S3(Credentials from AWS
 Security Token Service)'' profile (to change the S3 URL) but didn't work
 (unless I'm missing something).

 {{{
         <key>Default Port</key>
         <string>443</string>
         <key>Default Hostname</key>
         <string>s3-us-gov-west-1.amazonaws.com</string>
 }}}

 Is there a way to support both ''AWS GovCloud '' and "S3 (Credentials from
 AWS Security Token Service)".

 Thanks!

--
Ticket URL: <https://trac.cyberduck.io/ticket/8880#comment:62>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list