[Cyberduck-trac] [Cyberduck] #10620: Add AWS session token field for S3 connections
Cyberduck
trac at cyberduck.io
Sun Feb 17 20:52:02 UTC 2019
#10620: Add AWS session token field for S3 connections
-------------------------------+------------------------
Reporter: vwalveranta | Owner: dkocher
Type: feature | Status: new
Priority: normal | Milestone:
Component: s3 | Version: 6.9.3
Severity: normal | Resolution:
Keywords: MFA session token | Architecture:
Platform: |
-------------------------------+------------------------
Comment (by vwalveranta):
Yes, I believe STS token feature is available for assuming roles i.e., to
create a role session.
However, there is no facility in Cyberduck at the moment to enter a
baseprofile MFA session token.
A baseprofile session is created like so:
{{{
aws --profile "some_baseprofile" sts get-session-token --serial-number
"mfa_arn_associated_with_the_baseprofile" --duration "3600" --token-code
"current_code_from_generator" --output "json"
}}}
- some_baseprofile: refers to the label name of a profile in
~/.aws/credentials or in ~/.aws/config
- mfa_arn_associated_with_the_baseprofile: refers to the virtual MFA
attached to the profile; this is the same vMFA that can be attached to the
profile via the web console.
- duration: can be enforced by the MFA enforcement policy (see example in
my repo). Otherwise, it's the AWS default.
- token-code: the current generated token from the Google Authenticator
-compatible code generator.
So, while a role can be used to bestow an IAM user additional privileges
by assuming one, the baseprofile MFA can be used to block access to the
IAM user altogether unless the user is in an active MFA session. In our
enforcement policy, we allow a user (who has this policy) to configure
their virtual MFA device, update their password, and create a new MFA
session.. and nothing else. Once they have started an MFA session, then
they have their regularly assigned privileges for the lasting of the
session. During this time they can also assume roles, thus entering into a
role session. Both the baseprofile MFA sessions and the role sessions
create a wholly new set of credentials (i.e. separate from the
baseprofile/source profile the session was created for): a new
aws_access_key_id, aws_secret_access_key, and aws_session_token. Cyberduck
currently provides a way to enter the session token to assume a session,
but not to use a baseprofile MFA. I'd recommend adding just an additional
field ("Session Token") into the connection profile window for S3
connections. If the field has content, then inject that into the request
as aws_session_token. The credentials for MFA and non-MFA are of the same
format except for the MFA sessions the session token is present (and the
access key id begins "ASIA.." instead of "AKIA..").
--
Ticket URL: <https://trac.cyberduck.io/ticket/10620#comment:3>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list