Cyberduck Mountain Duck CLI

#11229 closed enhancement (fixed)

AssumeRole doesn't use the external_id value

Reported by: VelociBison Owned by: dkocher
Priority: normal Milestone: 7.7
Component: s3 Version: 7.6.2
Severity: normal Keywords:
Cc: Architecture: Intel
Platform: Windows 10

Description (last modified by dkocher)

Hello,

CyberDuck fails to do an AWS IAM AssumeRole when trying to use S3 because it doesn't pass along the external_id value from the ~/.aws/credential profile.

I'm using CyberDuck to access AWS S3 resources using an AssumeRole action. I would like to be able to use the external_id enforcement as suggested by AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

I'm not sure if you want to label this as a defect enhancement or feature. Feel free to adjust priority and severity as you see fit.

When I remove the external_id constraint on the role the AssumeRole succeeds with CyberDuck. I also verified using the same profile via the CLI with external_id enforced on the role and it succeeds so it looks to be an issue in CyberDuck.

Thank you for your time and creating CyberDuck

Change History (6)

comment:1 Changed on Nov 9, 2020 at 10:03:05 PM by dkocher

  • Description modified (diff)
  • Milestone set to 8.0
  • Owner set to dkocher
  • Status changed from new to assigned
  • Summary changed from AWS S3 AssumeRole doesn't use the external_id value to AssumeRole doesn't use the external_id value
  • Type changed from defect to enhancement

Thanks for reporting this issue.

comment:2 Changed on Nov 9, 2020 at 10:04:48 PM by dkocher

Can you point to the documentation of the external_id property in the ~/.aws/credential configuration?

The AWS SDK uses this property thus it looks like this is by convention.

Last edited on Nov 9, 2020 at 10:06:00 PM by dkocher (previous) (diff)

comment:3 Changed on Nov 9, 2020 at 10:11:40 PM by VelociBison

In case it helps: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles

Example cleansed from my ~/.aws/credentials file

[user-identity]
aws_access_key_id     = USER_KEY
aws_secret_access_key = USER_SECRET

[assume-role]
role_arn              = arn:aws:iam::XXXXXXXXXXXX:role/ROLE
source_profile        = user-identity
external_id           = YYYYYYYYYYYYYYYYYYYYYYYYYYY

Last edited on Nov 10, 2020 at 9:10:34 AM by dkocher (previous) (diff)

comment:4 Changed on Nov 10, 2020 at 9:12:28 AM by dkocher

  • Milestone changed from 8.0 to 7.7

comment:5 Changed on Nov 10, 2020 at 9:30:03 AM by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

In r50087.

comment:6 Changed on Nov 10, 2020 at 6:55:19 PM by VelociBison

Thank you for fixing this so quickly!

Note: See TracTickets for help on using tickets.