Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AssumeRole doesn't use the external_id value #11229

Closed
cyberduck opened this issue Nov 9, 2020 · 6 comments
Closed

AssumeRole doesn't use the external_id value #11229

cyberduck opened this issue Nov 9, 2020 · 6 comments

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Nov 9, 2020

6a74f0f created the issue

Hello,

CyberDuck fails to do an AWS IAM AssumeRole when trying to use S3 because it doesn't pass along the external_id value from the ~/.aws/credential profile.

I'm using CyberDuck to access AWS S3 resources using an AssumeRole action. I would like to be able to use the external_id enforcement as suggested by AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

I'm not sure if you want to label this as a defect enhancement or feature. Feel free to adjust priority and severity as you see fit.

When I remove the external_id constraint on the role the AssumeRole succeeds with CyberDuck. I also verified using the same profile via the CLI with external_id enforced on the role and it succeeds so it looks to be an issue in CyberDuck.

Thank you for your time and creating CyberDuck

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 9, 2020

@dkocher commented

Thanks for reporting this issue.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 9, 2020

@dkocher commented

~~Can you point to the documentation of the external_id property in the ~/.aws/credential configuration?~~

The AWS SDK uses this property thus it looks like this is by convention.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 9, 2020

6a74f0f commented

In case it helps: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles

Example cleansed from my ~/.aws/credentials file

[user-identity]
aws_access_key_id     = USER_KEY
aws_secret_access_key = USER_SECRET

[assume-role]
role_arn              = arn:aws:iam::XXXXXXXXXXXX:role/ROLE
source_profile        = user-identity
external_id           = YYYYYYYYYYYYYYYYYYYYYYYYYYY

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 10, 2020

@dkocher commented

In e06c63b.

Loading

@cyberduck cyberduck closed this Nov 10, 2020
@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 10, 2020

6a74f0f commented

Thank you for fixing this so quickly!

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Dec 30, 2020

@dkocher commented

Milestone renamed

Loading

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants