Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Temporary tokens (credentials from AWS STS) do not work with AWS GovCloud S3 #10594

Closed
cyberduck opened this issue Feb 3, 2019 · 10 comments
Closed

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Feb 3, 2019

e51fc8f created the issue

The S3(Credentials from AWS Security Token Service) profile (​https://svn.cyberduck.io/trunk/profiles/S3%20(Credentials%20from%20AWS%20Security%20Token%20Service).cyberduckprofile) does not work with AWS GovCloud accounts. Cyberduck gets into a loop where it says "Authenticating as publish_profile" followed by "Login failed". I also tried using the AWS GovCloud profile (https://svn.cyberduck.io/trunk/profiles/S3%20Gov%20Cloud.cyberduckprofile), but it doesn't support temporary tokens. I also tried creating my own profile merging 'S3(Credentials from AWS Security Token Service)* and *AWS GovCloud'' but that didn't work either. Here is the custom profile I tried out:

<?xml version="1.0" encoding="UTF-8"?>
<!--
  ~ Copyright (c) 2002-2018 iterate GmbH. All rights reserved.
  ~ https://cyberduck.io/
  ~
  ~ This program is free software; you can redistribute it and/or modify
  ~ it under the terms of the GNU General Public License as published by
  ~ the Free Software Foundation, either version 3 of the License, or
  ~ (at your option) any later version.
  ~
  ~ This program is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  ~ GNU General Public License for more details.
  -->

<!DOCTYPE plist PUBLIC "_Apple_DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Protocol</key>
        <string>s3</string>
        <key>Vendor</key>
        <string>s3-token</string>
        <key>Scheme</key>
        <string>https</string>
        <key>Description</key>
        <string>AWS GovCloud S3</string>
        <key>Default Port</key>
        <string>443</string>
        <key>Default Nickname</key>
        <string>AWS GovCloud S3</string>
        <key>Default Hostname</key>
        <string>s3-us-gov-west-1.amazonaws.com</string>
        <key>Username Placeholder</key>
        <string>Profile Name</string>
        <key>Password Configurable</key>
        <false/>
        <key>Token Configurable</key>
        <false/>
        <key>Anonymous Configurable</key>
        <false/>
        <key>Region</key>
        <string>us-gov-west-1</string>
    </dict>
</plist>

This is the AWS credentials file I'm using:

[publish_profile]
output = json
region = us-gov-west-1
aws_access_key_id = AAAAAAAAAAAAAAAAAAAA
aws_secret_access_key = KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
aws_session_token = SSSSSSSSSS_//_////SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Is there a way to support both AWS GovCloud and S3 (Credentials from AWS Security Token Service) at the same time?

Thanks!

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 3, 2019

@dkocher commented

The auto configuration from ~/aws/credentials is currently only triggered when the hostname defaults to s3.amazonaws.com.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 4, 2019

e51fc8f commented

Thanks for checking! I also want to mention that there are now 2 GovCloud regions with different endpoints:

s3-us-gov-west-1.amazonaws.com
s3.us-gov-east-1.amazonaws.com

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 4, 2019

@ylangisc commented

Fixed in 43fbb35.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 4, 2019

e51fc8f commented

Replying to [comment:4 yla]:

Fixed in 43fbb35.

Thanks a lot! Two questions:

  1. When will the update make it to a snapshot release?
  2. Is there a way to configure a default value for the Profile Name in ~/.aws/credentials in the .cyberduckprofile file?

Thanks!

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 4, 2019

@dkocher commented

Replying to [comment:3 cduser]:

Thanks for checking! I also want to mention that there are now 2 GovCloud regions with different endpoints:

s3-us-gov-west-1.amazonaws.com
s3.us-gov-east-1.amazonaws.com

Added profile in 7d0edce.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 4, 2019

@dkocher commented

A new snapshot build has now been published. Please comment on this ticket if the issue is resolved (or reopen) as we cannot fully test this ourselves.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 4, 2019

e51fc8f commented

Replying to [comment:7 dkocher]:

A new snapshot build has now been published. Please comment on this ticket if the issue is resolved (or reopen) as we cannot fully test this ourselves.

Hi dkocher,

I can help with the testing. Unfortunately I'm still having issues, but its looking better.

This is what I'm doing:

I'm using the following profile:

<?xml version="1.0" encoding="UTF-8"?>
<!--
  ~ Copyright (c) 2002-2018 iterate GmbH. All rights reserved.
  ~ https://cyberduck.io/
  ~
  ~ This program is free software; you can redistribute it and/or modify
  ~ it under the terms of the GNU General Public License as published by
  ~ the Free Software Foundation, either version 3 of the License, or
  ~ (at your option) any later version.
  ~
  ~ This program is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  ~ GNU General Public License for more details.
  -->

<!DOCTYPE plist PUBLIC "_Apple_DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Protocol</key>
        <string>s3</string>
        <key>Vendor</key>
        <string>s3-token</string>
        <key>Description</key>
        <string>S3 (Credentials from AWS Security Token Service)</string>
        <key>Default Nickname</key>
        <string>S3 (Credentials from AWS Security Token Service)</string>
        <key>Username Placeholder</key>
        <string>Profile Name in ~/.aws/credentials</string>
        <key>Password Configurable</key>
        <false/>
        <key>Token Configurable</key>
        <false/>
        <key>Anonymous Configurable</key>
        <false/>
        <key>Region</key>
        <string>us-gov-west-1</string>
    </dict>
</plist>

When adding the profile to cyberduck I setServer to s3-us-gov-west-1.amazonaws.com and Profile Name in ~/.aws/credentials to cyberduck. I then get new temporary credentials from AWS and put them in my ~/.aws/credentials file like this:

[cyberduck]
output = json
region = us-gov-west-1
aws_access_key_id = AAAAAAAAAAAAAAAAAAAA
aws_secret_access_key = KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
aws_session_token = SSSSSSSSSS_//_////SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

When I double click on the the shortcut in cyberduck I see Authenticating as cyberduck in the lower left corner with a spinning icon, but it never connects. If I try to close cyberduck it gets locked up and I have to force quit. Is there a way to enable debug logs?

Thank you for all your help and prompt response!

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 4, 2019

@dkocher commented

The error I can reproduce here is

<?xml version="1.0" encoding="UTF-8"?><Error><Code>AuthorizationHeaderMalformed</Code><Message>The authorization header is malformed; the region 'us-gov-west-1' is wrong; expecting 'us-east-1'</Message><Region>us-east-1</Region><RequestId>6DC92B83F187052E</RequestId><HostId>/i/KpB+I0jY/luCGm6wHoW5YJjdxMYTknIMe9rYtCMInebV+rJBtiI8b9sK7NXfOzS+n0wuMUTQ=</HostId></Error>

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 4, 2019

@dkocher commented

Fix regression in ab5c312.

Loading

@cyberduck cyberduck closed this Feb 4, 2019
@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 5, 2019

e51fc8f commented

Replying to [comment:11 dkocher]:

Fix regression in ab5c312.

Great! The AWS GovCloud S3 login issues are fixed. I can now log in (using the configuration in the credentials file) and see the directory listing. Unfortunately I run into an error when trying to download files or directories. Since I get the same error using the normal access keys, I created a new ticket #10596.

Thanks!

Loading

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants