[Cyberduck-trac] [Cyberduck] #10620: Add AWS session token field for S3 connections

Cyberduck trac at cyberduck.io
Sun Feb 17 21:06:44 UTC 2019

#10620: Add AWS session token field for S3 connections
 Reporter:  vwalveranta        |         Owner:  dkocher
     Type:  feature            |        Status:  new
 Priority:  normal             |     Milestone:
Component:  s3                 |       Version:  6.9.3
 Severity:  normal             |    Resolution:
 Keywords:  MFA session token  |  Architecture:
 Platform:                     |

Comment (by vwalveranta):

 One more thing :-)

 How are the baseprofile MFA sessions actually applicable to Cyberduck?
 Basically, if you have a set of AWS credentials, an access_key_id, and
 secret_access_key, but the MFA is set to be required for that IAM user,
 those credentials are no good for anything (e.g., accessing S3 buckets the
 user has privileges for) unless they provide MFA session credentials.

 The process would then be like this:

 1. In the aws CLI, the user starts an MFA session for their IAM account.
 AWS provides a new aws_access_key_id, aws_secret_access_key, and
 aws_session_token. My awscli-mfa.sh script can make this less painful.
 2. The user opens a client (currently Cloudberry Explorer or, hopefully,
 Cyberduck in the future :-) and enters the session credentials (including
 the aws_session_token) into the connection profile.
 3. The user connects normally to the S3 buckets their IAM account has the
 privileges for.
 4. Once the session ends, the access ends (and the user has to create a
 new MFA session in the CLI and update the session credentials in the
 connection profile to reconnect).

Ticket URL: <https://trac.cyberduck.io/ticket/10620#comment:5>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list