[Cyberduck-trac] [Cyberduck] #10620: Add AWS session token field for S3 connections
Cyberduck
trac at cyberduck.io
Sun Feb 17 21:06:44 UTC 2019
#10620: Add AWS session token field for S3 connections
-------------------------------+------------------------
Reporter: vwalveranta | Owner: dkocher
Type: feature | Status: new
Priority: normal | Milestone:
Component: s3 | Version: 6.9.3
Severity: normal | Resolution:
Keywords: MFA session token | Architecture:
Platform: |
-------------------------------+------------------------
Comment (by vwalveranta):
One more thing :-)
How are the baseprofile MFA sessions actually applicable to Cyberduck?
Basically, if you have a set of AWS credentials, an access_key_id, and
secret_access_key, but the MFA is set to be required for that IAM user,
those credentials are no good for anything (e.g., accessing S3 buckets the
user has privileges for) unless they provide MFA session credentials.
The process would then be like this:
1. In the aws CLI, the user starts an MFA session for their IAM account.
AWS provides a new aws_access_key_id, aws_secret_access_key, and
aws_session_token. My awscli-mfa.sh script can make this less painful.
2. The user opens a client (currently Cloudberry Explorer or, hopefully,
Cyberduck in the future :-) and enters the session credentials (including
the aws_session_token) into the connection profile.
3. The user connects normally to the S3 buckets their IAM account has the
privileges for.
4. Once the session ends, the access ends (and the user has to create a
new MFA session in the CLI and update the session credentials in the
connection profile to reconnect).
--
Ticket URL: <https://trac.cyberduck.io/ticket/10620#comment:5>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list