[Cyberduck-trac] [Cyberduck] #10620: Add AWS session token field for S3 connections
Cyberduck
trac at cyberduck.io
Sat Feb 16 20:49:03 UTC 2019
#10620: Add AWS session token field for S3 connections
----------------------------+-------------------------------
Reporter: vwalveranta | Owner:
Type: feature | Status: new
Priority: normal | Milestone:
Component: core | Version:
Severity: normal | Keywords: MFA session token
Architecture: | Platform:
----------------------------+-------------------------------
When MFA is required/enforced in order to use for a given profile, it
cannot be used with Cyberduck currently because Cyberduck doesn't allow
the entry of the session token along with the standard AWS credentials.
This is separate from the deletion token that can be set on S3 buckets,
and when configured and enforced, it doesn't allow any access with given
access key ID / secret access key unless a user is in MFA session (and so
that the session token is also provided). When an MFA session is
initialized, AWS provides a new access key ID and a new secret access key
(they are separate from the credentials of the profile the MFA session was
started for) in addition to the session token. These credentials are only
valid for the validity period of the session.
This is supported, for example, by Cloudberry Explorer. I have created a
set of scripts to manage the MFA sessions on the command line as my
employer is moving to MFA enforcement also on the command line (with the
enforcement enabled any tool that utilizes the access keys won't work
unless it allows also the entry of the session token). The utility scripts
and their documentation can be found at the following URL:
https://github.com/vwal/awscli-mfa
--
Ticket URL: <https://trac.cyberduck.io/ticket/10620>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list