Amazon S3 GUI client for OS X that allow AWS STS assume role

About

Asked 21/4, 2017 at 13:36 Answered 2/5, 2020 at 19:10

macos amazon-web-services amazon-s3 cloud-storage cyberduck

In our AWS infrastructure, we are using AWS Organisations, a way to centralize the user accounts and let them assume a role in other AWS accounts of our company. This allows us to isolate each environment and at the same time allow to have just one account that you can use to work with resources in other accounts without having 4-5 passwords.

The problem comes up with the S3 buckets as we have some users that are using Cyberduck to access files in s3 buckets. Unfortunately, Cyberduck doesn't support AWS STS assumeRole (as refer to cyberduck documentation), it forces you to set up the access key ID and the secret key in order to access to the s3 buckets of that specific account.

Do you know any S3 GUI client for MAC that supports assumeRole?

Schwinn answered 21/4, 2017 at 13:36 Comment(7)

STS assumeRole only works on AWS services. Unless you are talking about installing OSX into AWS EC2. – Accord 21/4, 2017 at 14:36

@Accord not 100% true. Theoretically, you can have a user access key/secret in a desktop app execute AssumeRole to another role. The app does not need to be on EC2. – Mess 21/4, 2017 at 14:41

@MattHouser : Do you mean setting up the local client credential with a Role ARN? – Accord 21/4, 2017 at 14:54

@Accord no. You create an IAM user with permissions to sts:AssumeRole. On the client app, you use that access key/secret. But instead of issuing s3 commands directly, it executes sts:AssumeRole to assume into the IAM role and obtains new temporary credentials for that role. Using those credentials, it executes the s3 commands. – Mess 21/4, 2017 at 14:59

@MattHouser : thanks for the knowledge. – Accord 21/4, 2017 at 15:12

There is ticket #8880 that asks for supporting _ Authentication using AWS AssumeRole and GetSessionToken with AWS STS_. Could you please add your comments there. – Josephina 22/4, 2017 at 21:20

I had the same issue when we moved to a similar setup, so I ended up extending a little app that I had to expose those credentials locally as if the machine was an EC2 instance and using a modified version of the profile available in the Cyberduck documentation. That works fine even if your role requires MFA. – Colettecoleus 28/11, 2017 at 20:16

This is supported as of Cyberduck 6.7.

https://cyberduck.io/changelog/

Transparently support rolebased access, including crossaccount using AWS Security Token Service (STS), configured in the standard AWS SDK credentials file (S3)

Josephina answered 14/10, 2018 at 20:26 Comment(0)

Update 2022 The AWS Toolkit for Intellij IDEA based IDEs is capable of switching profiles and consumes MFA tokens.

Original Answer Transmit 5.5 from Panic does support IAM roles with MFA.

Audra answered 2/5, 2020 at 19:10 Comment(1)

5.8.10 seems to. They have a field for MFA. – Estrella 4/10, 2022 at 14:2

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags