Missing session token when making the AssumeRoleRequest to obtain the cross account credentials from STS

[cyberduck]

49f3158 created the issue

Since 6.7.0 there has been a functionality to use temporary credentials (session keys) for accessing S3.
I've downloaded the correct STS S3 profile and filled out the bookmark correctly.
I use a in house saml script to authenticate me and then create me an access key, secret key and session key, which are automatically put in the .aws/credentials file.
If I use these credentials with the aws cli (for example aws --profile test s3 ls) it works without any issues.
If I try to use Cyberduck however (specifying the same profile name) I get the following message:
Cannot read bucket versioning status

The AWS Access Key Id you provided does not exist in our records. Please contact your web hosting service provider for assistance.

The profile in question has full S3 access, and so the message of cannot read bucket versioning status is wrong.

The one thing I am questioning is - we use a AWS account to authenticate and then we assume cross account roles to access the other accounts/services. The profile (which is a role on a child account) works fine using the CLI. Is it possible that Cyberduck is ignoring the role and just trying to login to the authentication AWS account?

Credentials file looks like the following:

[default]
aws_access_key_id = keyidhere
aws_secret_access_key = keyhere
aws_session_token = sessiontokenhere

[profile testrole]
role_arn = arn:aws:iam::account:role/testrole
source_profile = default

Log Drawer:

GET /?versioning HTTP/1.1
Date: Tue, 14 Aug 2018 10:16:56 GMT
x-amz-request-payer: requester
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Host: redacted.s3.amazonaws.com
x-amz-date: 20180814T101656Z
Authorization: ********
Connection: Keep-Alive
User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.12.6) (x86_64)
HTTP/1.1 403 Forbidden
x-amz-request-id: 416DA0A1C78F8DED
x-amz-id-2: WqSZzm4AZAmxLTim+sXL4AcaoI07aQZFrwoJwDecMbTO6DVYUQhF/qOWn2TKT2PFaZ0ynuikQeM=
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 14 Aug 2018 10:16:46 GMT
Server: AmazonS3

This is currently stopping our ability to use the product for its intended purpose.
Any ideas?

[cyberduck]

@dkocher commented

Can you confirm you have configured the bookmark using profile testrole in the Profile Name… input field.

[cyberduck]

49f3158 commented

I can confirm I've tried to use both 'profile testrole' and 'testrole' and both give the same result. (with the credentials file also reflecting the same.

[cyberduck]

@dkocher commented

Please enable debug logging and post the output in the system.log (/Applications/Utilities/Console.app) after launching Cyberduck.

[cyberduck]

49f3158 commented

Logs here, with the account number and bucket name redacted for security.
Note, that I used the same credentials and token using the aws cli, both before and after this attempt and the security/session token does work. I double checked again afterwards using the --debug option on the aws command.

Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.binding.WindowController - Become main for window <NSWindow: 0x6080001fc000>
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.binding.WindowController - Become key for window <NSWindow: 0x6080001fc000>
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.ui.cocoa.controller.BrowserController - Mount session for Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.ui.cocoa.controller.BrowserController - Unmount session ch.cyberduck.core.pool.SessionPool$DisconnectedSessionPool@1744a475
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] INFO  ch.cyberduck.core.AbstractCache - Clearing cache Cache{size=0}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.ui.cocoa.controller.BrowserController - Set working directory to null
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.ui.cocoa.controller.BrowserController - Set path filter to RegexFilter{pattern=\..*}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.ui.cocoa.controller.BrowserController - Reload data with selected files []
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.ui.cocoa.datasource.BrowserOutlineViewDataSource - Reload table view <CDOutlineView: 0x7ff48573b380> for changes files []
Aug 21 11:21:29 --- last message repeated 1 time ---
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] INFO  ch.cyberduck.core.SessionPoolFactory - Create new stateless connection pool for Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.core.SessionFactory - Create session for Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.core.ssl.CustomTrustSSLProtocolSocketFactory - Using SSL context with protocol TLS
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.core.threading.DefaultBackgroundExecutor - Run action WorkerBackgroundAction{worker=MountWorker{cache=ch.cyberduck.core.ReverseLookupCache@28501a4b}} in background
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] INFO  ch.cyberduck.core.threading.DefaultBackgroundExecutor - Scheduled background runnable WorkerBackgroundAction{worker=MountWorker{cache=ch.cyberduck.core.ReverseLookupCache@28501a4b}} for execution
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.threading.BackgroundCallable - Running background action WorkerBackgroundAction{worker=MountWorker{cache=ch.cyberduck.core.ReverseLookupCache@28501a4b}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.threading.BackgroundCallable - Prepare background action WorkerBackgroundAction{worker=MountWorker{cache=ch.cyberduck.core.ReverseLookupCache@28501a4b}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.threading.AbstractBackgroundAction - Prepare background task WorkerBackgroundAction{worker=MountWorker{cache=ch.cyberduck.core.ReverseLookupCache@28501a4b}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.AbstractController - Start action WorkerBackgroundAction{worker=MountWorker{cache=ch.cyberduck.core.ReverseLookupCache@28501a4b}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.threading.BackgroundCallable - Call background action WorkerBackgroundAction{worker=MountWorker{cache=ch.cyberduck.core.ReverseLookupCache@28501a4b}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.Session - Add listener ch.cyberduck.ui.cocoa.controller.BrowserController@ca93621
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.KeychainLoginService - Validate login credentials for Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] INFO  ch.cyberduck.core.proxy.SystemConfigurationProxy - No poxy configuration found for target Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.threading.NamedThreadFactory - Create thread for runnable ch.cyberduck.core.Resolver$1@22c8a233
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.Resolver - Waiting for resolving of s3.amazonaws.com
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [resolver-1] INFO  ch.cyberduck.core.Resolver - Resolved s3.amazonaws.com to 52.216.129.141
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [resolver-1] DEBUG ch.cyberduck.core.threading.NamedThreadFactory - Finished execution of runnable ch.cyberduck.core.Resolver$1@22c8a233
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.Session - Connection will open to Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.http.HttpConnectionPoolBuilder - Setup connection pool with registry {http=ch.cyberduck.core.http.HttpConnectionPoolBuilder$1@5bc7a509, https=ch.cyberduck.core.http.HttpConnectionPoolBuilder$2@5a021628}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.s3.S3Session - Configure for endpoint Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.jets3t.service.Jets3tProperties - s3service.https-only=true
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.jets3t.service.Jets3tProperties - storage-service.internal-error-retry-max=0
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.jets3t.service.Jets3tProperties - s3service.default-storage-class=null
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.jets3t.service.Jets3tProperties - s3service.server-side-encryption=null
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.jets3t.service.Jets3tProperties - devpay.user-token=null
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.jets3t.service.Jets3tProperties - devpay.product-token=null
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.jets3t.service.Jets3tProperties - httpclient.requester-pays-buckets-enabled=false
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.Session - Connection did open to Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.KeychainLoginService - Attempt authentication for Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.sts.STSCredentialsConfigurator - Look for profile name DPMProdMaster-RO in ~/.aws/credentials
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.sts.STSCredentialsConfigurator - Found matching profile DPMProdMaster-RO
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.sts.STSCredentialsConfigurator - Configure credentials from role based profile DPMProdMaster-RO
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] INFO  ch.cyberduck.core.proxy.SystemConfigurationProxy - No poxy configuration found for target Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.sts.STSCredentialsConfigurator - Request {RoleArn: arn:aws:iam::redacted-account-number:role/DPMProdMaster-RO,RoleSessionName: Cyberduck-jdenitce,} from com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient@4106b9e9
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.request - Sending Request: POST https://sts.amazonaws.com / Parameters: ({"Action":["AssumeRole"],"Version":["2011-06-15"],"RoleArn":["arn:aws:iam::redacted-account-number:role/DPMProdMaster-RO"],"RoleSessionName":["Cyberduck-jdenitce"]}Headers: (User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.12.6) (x86_64), aws-sdk-java/1.11.381 Mac_OS_X/10.12.6 Java_HotSpot(TM)_64-Bit_Server_VM/25.162-b12 java/1.8.0_162 kotlin/1.1.50, amz-sdk-invocation-id: 04789aaa-5e04-0dd9-0312-a54349af8621, ) 
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.auth.AWS4Signer - AWS4 Canonical Request: '"POST
	/
	
	amz-sdk-invocation-id:04789aaa-5e04-0dd9-0312-a54349af8621
	amz-sdk-retry:0/0/500
	host:sts.amazonaws.com
	user-agent:Cyberduck/6.7.0.28613 (Mac OS X/10.12.6) (x86_64), aws-sdk-java/1.11.381 Mac_OS_X/10.12.6 Java_HotSpot(TM)_64-Bit_Server_VM/25.162-b12 java/1.8.0_162 kotlin/1.1.50
	x-amz-date:20180821T102129Z
	
	amz-sdk-invocation-id;amz-sdk-retry;host;user-agent;x-amz-date
	c9fa1aa513c562acf153b170479c4fac49b1f27ba31ead74652b981891462c41"
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.auth.AWS4Signer - AWS4 String to Sign: '"AWS4-HMAC-SHA256
	20180821T102129Z
	20180821/us-east-1/sts/aws4_request
	1d877aba07ebc5aa17e64157fd41cfc71e22ea7e4986cb30d752d76252d3e843"
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: default
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://sts.amazonaws.com:443][total kept alive: 0; route allocated: 0 of 1; total allocated: 0 of 1]
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 3][route: {s}->https://sts.amazonaws.com:443][total kept alive: 0; route allocated: 1 of 1; total allocated: 1 of 1]
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://sts.amazonaws.com:443
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to sts.amazonaws.com/54.239.29.25:443
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory - connecting to sts.amazonaws.com/54.239.29.25:443
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory - Connecting socket to sts.amazonaws.com/54.239.29.25:443 with timeout 30000
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory - socket.getSupportedProtocols(): [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2], socket.getEnabledProtocols(): [TLSv1, TLSv1.1, TLSv1.2]
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory - TLS protocol enabled for SSL handshake: [TLSv1.2, TLSv1.1, TLSv1]
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory - Starting handshake
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory - Secure session established
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory -  negotiated protocol: TLSv1.2
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory -  peer principal: CN=sts.amazonaws.com
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory -  peer alternative names: [sts.amazonaws.com]
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.http.conn.ssl.SdkTLSSocketFactory -  issuer principal: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.internal.SdkSSLSocket - created: sts.amazonaws.com/54.239.29.25:443
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connection established 192.168.1.5:50305<->54.239.29.25:443
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-3: set socket timeout to 30000
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request POST / HTTP/1.1
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> POST / HTTP/1.1
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> Host: sts.amazonaws.com
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> Authorization: AWS4-HMAC-SHA256 Credential=/20180821/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-retry;host;user-agent;x-amz-date, Signature=09d501d8b8128c0e3f4bf9267d1123ad27527379a5b3df6337b2f8d480f7fde8
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> X-Amz-Date: 20180821T102129Z
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> User-Agent: Cyberduck/6.7.0.28613 (Mac OS X/10.12.6) (x86_64), aws-sdk-java/1.11.381 Mac_OS_X/10.12.6 Java_HotSpot(TM)_64-Bit_Server_VM/25.162-b12 java/1.8.0_162 kotlin/1.1.50
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> amz-sdk-invocation-id: 04789aaa-5e04-0dd9-0312-a54349af8621
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> amz-sdk-retry: 0/0/500
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> Content-Type: application/x-www-form-urlencoded; charset=utf-8
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> Content-Length: 139
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> Connection: Keep-Alive
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 >> Accept-Encoding: gzip,deflate
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 << HTTP/1.1 403 Forbidden
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 << x-amzn-RequestId: f80e17c8-a52b-11e8-a14a-1d86bc863e4e
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 << Content-Type: text/xml
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 << Content-Length: 306
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.headers - http-outgoing-3 << Date: Tue, 21 Aug 2018 10:21:29 GMT
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 60000 MILLISECONDS
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 3][route: {s}->https://sts.amazonaws.com:443] can be kept alive for 60.0 seconds
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-3: set socket timeout to 0
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 3][route: {s}->https://sts.amazonaws.com:443][total kept alive: 1; route allocated: 1 of 1; total allocated: 1 of 1]
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG com.amazonaws.request - Received error response: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: f80e17c8-a52b-11e8-a14a-1d86bc863e4e)
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.Session - Connection did close to Host{credentials=Credentials{user='DPMProdMaster-RO', token='', identity=null}, hostname='s3.amazonaws.com', defaultpath='redacted-bucket-name', port=443, protocol=Profile{parent=s3, image=null}}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.core.threading.DefaultFailureDiagnostics - Determine cause for failure ch.cyberduck.core.exception.LoginFailureException{detail='The security token included in the request is invalid.', cause='com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: f80e17c8-a52b-11e8-a14a-1d86bc863e4e)', message='Login failed'}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] WARN  ch.cyberduck.core.threading.AbstractRetryCallable - No retry for failure ch.cyberduck.core.exception.LoginFailureException{detail='The security token included in the request is invalid.', cause='com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: f80e17c8-a52b-11e8-a14a-1d86bc863e4e)', message='Login failed'}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] WARN  ch.cyberduck.core.threading.BackgroundCallable - Failure running background task Login failed
	
	java.lang.Exception
		at ch.cyberduck.core.threading.BackgroundCallable.<init>(BackgroundCallable.java:38)
		at ch.cyberduck.core.threading.DefaultBackgroundExecutor.execute(DefaultBackgroundExecutor.java:66)
		at ch.cyberduck.core.AbstractController.background(AbstractController.java:78)
		at ch.cyberduck.ui.cocoa.controller.BrowserController$27.run(BrowserController.java:3053)
		at ch.cyberduck.ui.cocoa.controller.BrowserController$30.run(BrowserController.java:3173)
		at ch.cyberduck.ui.cocoa.controller.BrowserController.disconnect(BrowserController.java:3197)
		at ch.cyberduck.ui.cocoa.controller.BrowserController.doUnmount(BrowserController.java:3160)
		at ch.cyberduck.ui.cocoa.controller.BrowserController.unmount(BrowserController.java:3151)
		at ch.cyberduck.ui.cocoa.controller.BrowserController.unmount(BrowserController.java:3106)
		at ch.cyberduck.ui.cocoa.controller.BrowserController.mount(BrowserController.java:3048)
		at ch.cyberduck.ui.cocoa.controller.BrowserController.connectBookmarkButtonClicked(BrowserController.java:1801)
		at ch.cyberduck.ui.cocoa.controller.BrowserController$11.tableRowDoubleClicked(BrowserController.java:1534)
		at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.lang.reflect.Method.invoke(Method.java:498)
		at org.rococoa.internal.OCInvocationCallbacks.callMethod(OCInvocationCallbacks.java:171)
		at org.rococoa.internal.OCInvocationCallbacks.access$200(OCInvocationCallbacks.java:53)
		at org.rococoa.internal.OCInvocationCallbacks$2.callback(OCInvocationCallbacks.java:83)
		at sun.reflect.GeneratedMethodAccessor10.invoke(Unknown Source)
		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.lang.reflect.Method.invoke(Method.java:498)
		at com.sun.jna.CallbackReference$DefaultCallbackProxy.invokeCallback(CallbackReference.java:485)
		at com.sun.jna.CallbackReference$DefaultCallbackProxy.callback(CallbackReference.java:515)
		at com.sun.jna.Native.invokeVoid(Native Method)
		at com.sun.jna.Function.invoke(Function.java:374)
		at com.sun.jna.Function.invoke(Function.java:323)
		at com.sun.jna.Function.invoke(Function.java:275)
		at org.rococoa.internal.MsgSendHandler.invoke(MsgSendHandler.java:111)
		at com.sun.jna.Library$Handler.invoke(Library.java:234)
		at com.sun.proxy.$Proxy0.syntheticSendMessage(Unknown Source)
		at org.rococoa.Foundation.send(Foundation.java:209)
		at org.rococoa.Foundation.send(Foundation.java:195)
		at org.rococoa.internal.ObjCObjectInvocationHandler.sendOnThisOrMainThread(ObjCObjectInvocationHandler.java:270)
		at org.rococoa.internal.ObjCObjectInvocationHandler.invokeCocoa(ObjCObjectInvocationHandler.java:233)
		at org.rococoa.internal.ObjCObjectInvocationHandler.intercept(ObjCObjectInvocationHandler.java:192)
		at ch.cyberduck.binding.application.NSApplication$$ByRococoa.run(<generated>)
		at ch.cyberduck.ui.cocoa.MainApplication.main(MainApplication.java:116)
	Caused by: ch.cyberduck.core.exception.LoginFailureException{detail='The security token included in the request is invalid.', cause='com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: f80e17c8-a52b-11e8-a14a-1d86bc863e4e)', message='Login failed'}
		at ch.cyberduck.core.sts.STSCredentialsConfigurator.configure(STSCredentialsConfigurator.java:152)
		at ch.cyberduck.core.s3.S3Session.login(S3Session.java:228)
		at ch.cyberduck.core.KeychainLoginService.authenticate(KeychainLoginService.java:128)
		at ch.cyberduck.core.LoginConnectionService.authenticate(LoginConnectionService.java:163)
		at ch.cyberduck.core.LoginConnectionService.connect(LoginConnectionService.java:154)
		at ch.cyberduck.core.LoginConnectionService.check(LoginConnectionService.java:101)
		at ch.cyberduck.core.pool.StatelessSessionPool.borrow(StatelessSessionPool.java:59)
		at ch.cyberduck.core.threading.SessionBackgroundAction.run(SessionBackgroundAction.java:119)
		at ch.cyberduck.core.threading.SessionBackgroundAction$1.call(SessionBackgroundAction.java:104)
		at ch.cyberduck.core.threading.DefaultRetryCallable.call(DefaultRetryCallable.java:48)
		at ch.cyberduck.core.threading.SessionBackgroundAction.call(SessionBackgroundAction.java:106)
		at ch.cyberduck.core.threading.BackgroundCallable.run(BackgroundCallable.java:102)
		at ch.cyberduck.core.threading.BackgroundCallable.call(BackgroundCallable.java:61)
		at java.util.concurrent.FutureTask.run(FutureTask.java:266)
		at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
		at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
		at ch.cyberduck.core.threading.NamedThreadFactory$1.run(NamedThreadFactory.java:58)
		at java.lang.Thread.run(Thread.java:748)
	Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: f80e17c8-a52b-11e8-a14a-1d86bc863e4e)
		at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1640)
		at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
		at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
		at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
		at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
		at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
		at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
		at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
		at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
		at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
		at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
		at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
		at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)
		at ch.cyberduck.core.sts.STSCredentialsConfigurator.configure(STSCredentialsConfigurator.java:143)
		... 17 more
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [background-11] INFO  ch.cyberduck.core.threading.SessionBackgroundAction - Run alert callback ch.cyberduck.ui.cocoa.callback.PromptAlertCallback@2d60616c for failure ch.cyberduck.core.exception.LoginFailureException{detail='The security token included in the request is invalid.', cause='com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: f80e17c8-a52b-11e8-a14a-1d86bc863e4e)', message='Login failed'}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.core.threading.DefaultFailureDiagnostics - Determine cause for failure ch.cyberduck.core.exception.LoginFailureException{detail='The security token included in the request is invalid.', cause='com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: f80e17c8-a52b-11e8-a14a-1d86bc863e4e)', message='Login failed'}
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method methodForSelector for selector:methodForSelector:
Aug 21 11:21:29 --- last message repeated 5 times ---
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidChangeBackingProperties for selector:windowDidChangeBackingProperties:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowWillMove for selector:windowWillMove:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowWillExitVersionBrowser for selector:windowWillExitVersionBrowser:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidUpdate for selector:windowDidUpdate:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidResize for selector:windowDidResize:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidMiniaturize for selector:windowDidMiniaturize:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidEnterFullScreen for selector:windowDidEnterFullScreen:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidExitFullScreen for selector:windowDidExitFullScreen:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidChangeOcclusionState for selector:windowDidChangeOcclusionState:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidMove for selector:windowDidMove:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidEndSheet for selector:windowDidEndSheet:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowWillOrderOffScreen for selector:windowWillOrderOffScreen:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidOrderOnScreen for selector:windowDidOrderOnScreen:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidExpose for selector:windowDidExpose:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidEndLiveResize for selector:windowDidEndLiveResize:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowWillMiniaturize for selector:windowWillMiniaturize:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidExitVersionBrowser for selector:windowDidExitVersionBrowser:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidOrderOffScreen for selector:windowDidOrderOffScreen:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowWillEnterVersionBrowser for selector:windowWillEnterVersionBrowser:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidChangeScreenProfile for selector:windowDidChangeScreenProfile:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidEnterVersionBrowser for selector:windowDidEnterVersionBrowser:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidDeminiaturize for selector:windowDidDeminiaturize:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowWillOrderOnScreen for selector:windowWillOrderOnScreen:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowDidChangeScreen for selector:windowDidChangeScreen:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowWillStartLiveResize for selector:windowWillStartLiveResize:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method validRequestorForSendType_returnType for selector:validRequestorForSendType:returnType:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method windowWillReturnFieldEditor_toObject for selector:windowWillReturnFieldEditor:toObject:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method window_willEncodeRestorableState for selector:window:willEncodeRestorableState:
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.binding.WindowController - Attach sheet for window <NSWindow: 0x6080001fc000>
Aug 21 11:21:29 lon-mp6qf Cyberduck[920]: [main] DEBUG org.rococoa.callback - No method window_willPositionSheet_usingRect for selector:window:willPositionSheet:usingRect:
Aug 21 11:21:30 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.binding.WindowController - Resign key for window <NSWindow: 0x6080001fc000>
Aug 21 11:21:30 lon-mp6qf Cyberduck[920]: [main] DEBUG ch.cyberduck.binding.WindowController - Become key for window <NSPanel: 0x6080003e4f00>
Aug 21 11:21:30 lon-mp6qf Cyberduck[920]: [background-11] DEBUG ch.cyberduck.binding.SheetInvoker - Await sheet dismiss
Aug 21 11:21:35 lon-mp6qf Cyberduck[920]: [java-sdk-http-connection-reaper] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Closing connections idle longer than 60000 MILLISECONDS
Aug 21 11:21:35 lon-mp6qf syslogd[51]: ASL Sender Statistics
Aug 21 11:21:35 lon-mp6qf Cyberduck[920]: [java-sdk-http-connection-reaper] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Closing connections idle longer than 60000 MILLISECONDS

[cyberduck]

@dkocher commented

We try to obtain a new session token from AWS STS using the credentials in the AWS CLI profile named DPMProdMaster-RO but you suggest that we should just connect with the already given credentials saved in the profile. This happens because we detect the DPMProdMaster-RO profile to be a role based configuration (logged via Configure credentials from role based profile DPMProdMaster-RO) because we find the configuration option role_arn set. Please try to remove this property and only include aws_access_key_id, aws_secret_access_key and aws_session_token when generating the entry from your script.

[cyberduck]

49f3158 commented

If I'm reading this right, you suggest we remove the profile DPMProdMaster-RO and the role_arn from the credentials file?
The Access key, secret key and session token are usable for multiple roles as they are cross account roles. Without a role defined, we would not be able to specify which account we want to look at S3 for.
I've also tried removing the DPMProd... profile and added the role_arn under the default profile also, however the error is still the same.

Using no role in the credentials file and specifying default in the cyerduck profile config - I get listing directory denied (which is expected).
The keys are for an authentication AWS account, which has access to assume the role DPMProdMaster-RO, which is in another account.
Am I to assume that the nifty new temporary credentials feature does not work with cross account/role based access?

[cyberduck]

@dkocher commented

Cross account/role based access should work. Not sure if I can follow but I want to clarify what we attempt in the different configuration deployment scenarios:

• If a role based profile is found (with role_arn), we will issue a AssumeRoleRequestrequest to STS to obtain credentials.
• For basic profiles we read aws_access_key_id, aws_secret_access_key and aws_session_token and authenticate without STS.
• For basic profiles with no aws_session_token but Token Configurable set in the connection profile we obtain the credentials using a GetSessionTokenRequest from STS (we do not currently advertise such a profile on (https://cyberduck.io/s3/))

[cyberduck]

49f3158 commented

Ok, so this is how we are setup to work:

• We run a script on terminal which authenticates us against company SSO, and goes off to STS to retrieve the credentials (access key, secret key and session token). These are then automatically placed in the .aws/credentials file.

• We then use a cross account role (DPMProdMaster-RO) to try to access the S3 in a different account to the one which the credentials are for (works for aws cli access), so we know that the credentials work, and that they are capable of use with the cross account roles.

So we need a profile which will verify the existing session token and credentials in the aws credentials file, and allow us to use a cross account role with them.
Hope this makes sense!

[cyberduck]

@dkocher commented

Thanks for your clarifications and patience with me ;) From my understanding now the bug is, that we do not include the session token when making the AssumeRoleRequest to obtain the cross account credentials from STS.

[cyberduck]

49f3158 commented

Yes I agree with that bug/conclusion summary. Thanks for waiting out for the full details/results!

[cyberduck]

@dkocher commented

In b5ce269. Please update to the latest snapshot build available and let me know if it works.

[cyberduck]

@dkocher commented

Please revoke the access key `` exposed in the log output.

[cyberduck]

49f3158 commented

Access key revoked in log (woops, missed that one)
I've downloaded the snapshot and tested it and it works! Fantastic!

I've added the DPMProdMaster-RO profile back into the credentials file with the role_arn specified, and source_profile as default, and everything is looking good!

Thanks for the quick turnaround!

[cyberduck]

@dkocher commented

Milestone renamed