Cyberduck Mountain Duck CLI

#10989 assigned defect

Authorization header is malformed error using the STS connection profile for preconfigured settings

Reported by: saikarthikp Owned by: saikarthikp
Priority: normal Milestone:
Component: s3 Version: 7.2.4
Severity: normal Keywords:
Cc: Architecture:
Platform: Linux

Description

I am trying to access files in an S3 bucket by assuming a role from the ~/.aws/credentials file. The credential file contains a profile called test-user with a role arn specified.

I have downloaded the preconfigured .cyberduckprofile file for STS from https://cyberduck.io/s3/:

<?xml version="1.0" encoding="UTF-8"?>
<!…>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Protocol</key>
        <string>s3</string>
        <key>Vendor</key>
        <string>s3-token</string>
        <key>Description</key>
        <string>S3 (Credentials from AWS Security Token Service)</string>
        <key>Default Nickname</key>
        <string>S3 (Credentials from AWS Security Token Service)</string>
        <key>Username Placeholder</key>
        <string>testuser</string>
        <key>Password Configurable</key>
        <false/>
        <key>Token Configurable</key>
        <false/>
        <key>Anonymous Configurable</key>
        <false/>
    </dict>
</plist>

I placed this file at /opt/duck/app/

I am trying to run the following command:

duck --list s3:/test-ecs-bucket-01/ --profile sts.cyberduckprofile --verbose

I get the following output:

S3 connection opened…
> GET /?versioning HTTP/1.1
> Date: Mon, 09 Mar 2020 17:04:56 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: test-ecs-bucket-01.s3.amazonaws.com
> x-amz-date: 20200309T170456Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/7.2.8-SNAPSHOT.32437 (Linux/4.14.165-131.185.amzn2.x86_64) (amd64)
< HTTP/1.1 400 Bad Request
< x-amz-request-id: 72E387F1284515E4
< x-amz-id-2: wXtPQM97Ti/koK6HlSc8KC/TRM3DaiXlRS/kYKAgIwMcaUlOf2xgwa6xPnjl4PByUnocBftaRPQ=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Mon, 09 Mar 2020 17:04:56 GMT
< Connection: close
< Server: AmazonS3
> GET /?encoding-type=url&max-keys=1000&prefix&delimiter=%2F HTTP/1.1
> Date: Mon, 09 Mar 2020 17:04:57 GMT
> x-amz-request-payer: requester
> x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> Host: test-ecs-bucket-01.s3.amazonaws.com
> x-amz-date: 20200309T170457Z
> Authorization: ********
> Connection: Keep-Alive
> User-Agent: Cyberduck/7.2.8-SNAPSHOT.32437 (Linux/4.14.165-131.185.amzn2.x86_64) (amd64)
< HTTP/1.1 400 Bad Request
< x-amz-bucket-region: us-west-2
< x-amz-request-id: 22DD49F51B2F7CF7
< x-amz-id-2: hZrnwHQYYlsHwaRXL4tzmxibIlOIfQqT5JCMc+YWFuxlqmBSsutSCrWUCaKkNJChWGX+uYaQj3g=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Mon, 09 Mar 2020 17:04:57 GMT
< Connection: close
Disconnecting s3.amazonaws.com…

Listing directory test-ecs-bucket-01 failed. The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential. Please contact your web hosting service provider for assistance.

Additional Information: I have tried this on Linux CentOS and Amazon Linux2 AMI on EC2 instances.

How can I debug this issue?

Change History (3)

comment:1 Changed on Mar 9, 2020 at 5:21:31 PM by saikarthikp

  • Owner set to saikarthikp
  • Status changed from new to assigned

comment:2 Changed on Mar 13, 2020 at 4:32:51 PM by dkocher

  • Priority changed from high to normal
  • Severity changed from major to normal
  • Summary changed from unable to access AWS S3 bucket using the STS connection profile for preconfigured settings to Authorization header is malformed error using the STS connection profile for preconfigured settings

The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.

Can you share your obfuscated configuration in ~/.aws/credentials.

comment:3 Changed on Mar 15, 2020 at 8:35:52 AM by saikarthikp

my aws-cli commands work fine. I used this website as a template: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html aws s3 ls lists all buckets

my ~/.aws/credentials file, apart from default profile, has a profile similar to this:

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata
Note: See TracTickets for help on using tickets.