Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential error using the STS connection profile for preconfigured settings #10989

Closed
cyberduck opened this issue Mar 9, 2020 · 3 comments
Labels
bug s3 AWS S3 Protocol Implementation thirdparty Issue caused by third party

Comments

@cyberduck
Copy link
Collaborator

b96ee3e created the issue

I am trying to access files in an S3 bucket by assuming a role from the ~/.aws/credentials file.
The credential file contains a profile called test-user with a role arn specified.

I have downloaded the preconfigured .cyberduckprofile file for STS from https://cyberduck.io/s3/:

<?xml version="1.0" encoding="UTF-8"?>
<!…>

<!DOCTYPE plist PUBLIC "_Apple_DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Protocol</key>
        <string>s3</string>
        <key>Vendor</key>
        <string>s3-token</string>
        <key>Description</key>
        <string>S3 (Credentials from AWS Security Token Service)</string>
        <key>Default Nickname</key>
        <string>S3 (Credentials from AWS Security Token Service)</string>
        <key>Username Placeholder</key>
        <string>testuser</string>
        <key>Password Configurable</key>
        <false/>
        <key>Token Configurable</key>
        <false/>
        <key>Anonymous Configurable</key>
        <false/>
    </dict>
</plist>

I placed this file at /opt/duck/app/

I am trying to run the following command:

duck --list s3:/test-ecs-bucket-01/ --profile sts.cyberduckprofile --verbose

I get the following output:

S3 connection opened…
> GET /?versioning HTTP/1.1
> Date: Mon, 09 Mar 2020 17:04:56 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: test-ecs-bucket-01.s3.amazonaws.com
> x-amz-date: 20200309T170456Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/7.2.8-SNAPSHOT.32437 (Linux/4.14.165-131.185.amzn2.x86_64) (amd64)
< HTTP/1.1 400 Bad Request
< x-amz-request-id: 72E387F1284515E4
< x-amz-id-2: wXtPQM97Ti/koK6HlSc8KC/TRM3DaiXlRS/kYKAgIwMcaUlOf2xgwa6xPnjl4PByUnocBftaRPQ=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Mon, 09 Mar 2020 17:04:56 GMT
< Connection: close
< Server: AmazonS3
> GET /?encoding-type=url&max-keys=1000&prefix&delimiter=%2F HTTP/1.1
> Date: Mon, 09 Mar 2020 17:04:57 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: test-ecs-bucket-01.s3.amazonaws.com
> x-amz-date: 20200309T170457Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/7.2.8-SNAPSHOT.32437 (Linux/4.14.165-131.185.amzn2.x86_64) (amd64)
< HTTP/1.1 400 Bad Request
< x-amz-bucket-region: us-west-2
< x-amz-request-id: 22DD49F51B2F7CF7
< x-amz-id-2: hZrnwHQYYlsHwaRXL4tzmxibIlOIfQqT5JCMc+YWFuxlqmBSsutSCrWUCaKkNJChWGX+uYaQj3g=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Mon, 09 Mar 2020 17:04:57 GMT
< Connection: close
Disconnecting s3.amazonaws.com…

Listing directory test-ecs-bucket-01 failed. The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential. Please contact your web hosting service provider for assistance.

Additional Information:
I have tried this on Linux CentOS and Amazon Linux2 AMI on EC2 instances.

How can I debug this issue?

@cyberduck
Copy link
Collaborator Author

@dkocher commented

The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.
Can you share your obfuscated configuration in ~/.aws/credentials.

@cyberduck
Copy link
Collaborator Author

b96ee3e commented

my aws-cli commands work fine. I used this website as a template: (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html)
aws s3 ls lists all buckets

my ~/.aws/credentials file, apart from default profile, has a profile similar to this:

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata

@cyberduck
Copy link
Collaborator Author

@dkocher commented

The issue is probably with credential_source = Ec2InstanceMetadata we do not support. Maybe you can get this to work using our S3 (Credentials from Instance Metadata) profile instead? See Connecting with temporary access credentials (Token) from EC2.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug s3 AWS S3 Protocol Implementation thirdparty Issue caused by third party
Projects
None yet
Development

No branches or pull requests

1 participant