Inconsistent authentication with AssumeRole from AWS Security Token Service (STS)

[cabutlermit]

This ticket system is to report bugs and feature requests. For support, visit the help page first.

Describe the bug

Attempts to authentication to AWS S3 Bucket using the "S3 (Credentials from AWS Command Line Interface)" profile do not consistently work. Most of the time, when using the profile to open a connection, the following error message appears:

Login failed (S3 (Credentials from AWS Command Line Interface)) The security token included in the request is invalid. Please contact your web hosting service provider for assistance.

I am following the instructions from this: https://docs.cyberduck.io/protocols/s3/#connecting-using-assumerole-from-aws-security-token-service-sts. I have bookmarks to S3 buckets stored in CyberDuck and when trying to open those bookmarks, the connection fails with the same error message.

This was working properly in an earlier version (9.0.x) but no longer works consistently.

To Reproduce
Steps to reproduce the behavior:

1. Open Terminal, run aws sso login --profile <profile_name>
2. In Terminal, run aws sts get-caller-identity --profile <profile_name>
3. Open CyberDuck, click the Open Connection button.
4. Select "S3 (Credentials from AWS Command Line Interface)" profile.
5. Type <profile_name> in the "Profile Name in ~/.aws/..." field, then click the Connect button
6. See error

Expected behavior
After clicking the "Connect" button, I should see the list of S3 buckets in the AWS Account.

It is possible to get the connection to work sometimes, by going through the following process.

1. Close the error message window.
2. Click the Open Connection button again.
3. Click the "S3 (Credentials from AWS Command Line Interface)" option in the drop-down menu.
4. Click the "S3 (Credentials from AWS Command Line Interface)" option again (to select it again, even though it was already selected)
5. (the profile name should still be in the field, so there is no need to re-type it)
6. Click the Connect button
7. See the list of S3 buckets in the window!

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: macOS (15.7.1)
• Version CyberDuck v9.3.0

Log Files

Here's the snippet from a failed authentication:

2025-11-25 15:56:18,417 [Thread-68] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request POST / HTTP/1.1
2025-11-25 15:56:18,417 [Thread-68] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
2025-11-25 15:56:18,475 [Thread-68] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 60000 MILLISECONDS
2025-11-25 15:56:18,475 [Thread-68] DEBUG com.amazonaws.retry.ClockSkewAdjuster - Reported server date (from 'Date' header): Tue, 25 Nov 2025 20:56:18 GMT
2025-11-25 15:56:18,480 [Thread-68] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 2][route: {s}->https://sts.amazonaws.com:443] can be kept alive for 60.0 seconds
2025-11-25 15:56:18,481 [Thread-68] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-2: set socket timeout to 0
2025-11-25 15:56:18,481 [Thread-68] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 2][route: {s}->https://sts.amazonaws.com:443][total available: 1; route allocated: 1 of 1; total allocated: 1 of 1]
2025-11-25 15:56:18,498 [Thread-68] DEBUG com.amazonaws.request - Received error response: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 22e5b2ea-6ecd-4839-a71d-2c83e2e44122; Proxy: null)
2025-11-25 15:56:18,498 [Thread-68] DEBUG com.amazonaws.retry.ClockSkewAdjuster - Reported server date (from 'Date' header): Tue, 25 Nov 2025 20:56:18 GMT
2025-11-25 15:56:18,500 [Thread-68] WARN  ch.cyberduck.core.sts.STSExceptionMappingService - Map failure com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: The security token included in the request is invalid. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 22e5b2ea-6ecd-4839-a71d-2c83e2e44122; Proxy: null)
2025-11-25 15:56:18,500 [Thread-68] DEBUG ch.cyberduck.core.KeychainLoginService - Login failed for Session{host=Host{protocol=Profile{parent=Profile{parent=s3, vendor=iterate GmbH, description=null, image=null}, vendor=s3-cli, description=S3 (Credentials from AWS Command Line Interface), image=null}, region='null', port=443, hostname='s3.amazonaws.com', credentials=Credentials{user='PROFILENAME', password='', tokens='TemporaryAccessTokens{accessKeyId='********', secretAccessKey='', sessionToken='', expiryInMilliseconds=-1}', oauth='OAuthTokens{accessToken='', refreshToken='', idToken='', expiryInMilliseconds=-1}', identity=null, properties={}}, uuid='10bd4d19-1234-abcd-1234-e346130f6b85', nickname='null', defaultpath='null', workdir=null, custom=null, labels=null}, state=open}
2025-11-25 15:56:18,503 [Thread-68] DEBUG ch.cyberduck.core.KeychainLoginService - Reset credentials for Host{protocol=Profile{parent=Profile{parent=s3, vendor=iterate GmbH, description=null, image=null}, vendor=s3-cli, description=S3 (Credentials from AWS Command Line Interface), image=null}, region='null', port=443, hostname='s3.amazonaws.com', credentials=Credentials{user='PROFILENAME', password='', tokens='TemporaryAccessTokens{accessKeyId='********', secretAccessKey='', sessionToken='', expiryInMilliseconds=-1}', oauth='OAuthTokens{accessToken='', refreshToken='', idToken='', expiryInMilliseconds=-1}', identity=null, properties={}}, uuid='10bd4d19-1234-abcd-1234-e346130f6b85', nickname='null', defaultpath='null', workdir=null, custom=null, labels=null}

Here's the snippet from a successful authentication:

2025-11-25 15:56:27,374 [Thread-81] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request POST / HTTP/1.1
2025-11-25 15:56:27,374 [Thread-81] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
2025-11-25 15:56:27,426 [Thread-81] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 60000 MILLISECONDS
2025-11-25 15:56:27,426 [Thread-81] DEBUG com.amazonaws.retry.ClockSkewAdjuster - Reported server date (from 'Date' header): Tue, 25 Nov 2025 20:56:27 GMT
2025-11-25 15:56:27,453 [Thread-81] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 4][route: {s}->https://sts.amazonaws.com:443] can be kept alive for 60.0 seconds
2025-11-25 15:56:27,453 [Thread-81] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-4: set socket timeout to 0
2025-11-25 15:56:27,453 [Thread-81] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 4][route: {s}->https://sts.amazonaws.com:443][total available: 1; route allocated: 1 of 1; total allocated: 1 of 1]
2025-11-25 15:56:27,453 [Thread-81] DEBUG com.amazonaws.request - Received successful response: 200, AWS Request ID: e468c914-46dc-4cd7-a76b-9ce7b152a8ba
2025-11-25 15:56:27,453 [Thread-81] DEBUG com.amazonaws.requestId - x-amzn-RequestId: e468c914-46dc-4cd7-a76b-9ce7b152a8ba
2025-11-25 15:56:27,453 [Thread-81] DEBUG ch.cyberduck.core.sts.STSAuthorizationService - Successfully verified credentials for {UserId: ABDCABCD12341234ABCD:USERNAME@domain.tld,Account: 123456781234,Arn: arn:aws:sts::123456781234:assumed-role/AWSReservedSSO_ROLENAME_randomstring/USERNAME@domain.tld}

Additional context
Add any other context about the problem here.

[dkocher]

It looks like the S3 (Credentials from AWS Command Line Interface) profile installed is missing a recent configuration change ¹ now required. Can you open Preferences → Profiles which should sync the latest version. You can verify on disk with

md5sum ~/Library/Group\ Containers/G69SCX94XU.duck/Library/Application\ Support/duck/Profiles/S3\ \(Credentials\ from\ AWS\ Command\ Line\ Interface\).cyberduckprofile 

The output should match ee93d6f70890eb8b1adfb4aa0d8a2177.

• STS profiles profiles#160

Footnotes

1. https://github.com/iterate-ch/profiles/pull/160 ↩

[cabutlermit]

It looks like the S3 (Credentials from AWS Command Line Interface) profile installed is missing a recent configuration change 1 now required. Can you open Preferences → Profiles which should sync the latest version. You can verify on disk with

md5sum ~/Library/Group\ Containers/G69SCX94XU.duck/Library/Application\ Support/duck/Profiles/S3\ \(Credentials\ from\ AWS\ Command\ Line\ Interface\).cyberduckprofile 

The output should match ee93d6f70890eb8b1adfb4aa0d8a2177.

* [ ]  [STS profiles profiles#160](https://github.com/iterate-ch/profiles/pull/160)

Footnotes

1. https://github.com/iterate-ch/profiles/pull/160 [↩](#user-content-fnref-1-336542d841dd7c48ccea314d9c95b624)

That was it! the md5 of my file was different, so I checked and it still had <false> in that line instead of true. When I updated the file per the PR you linked to, everything worked as expected.

I was still using the file I had downloaded a while ago from the docs.cyberduck.io documentation page. I just used the link from the current version of that page and I see that it has been updated.

Thanks so much for your investigation into this! From my perspective, this issue can be closed.