stackoom
  简体   繁体   中英

AWS S3 and Cyberduck and MFA

 原文  2021-06-02 07:37:21       amazon-web-services/ amazon-s3/ aws-policies/ cyberduck

Question

We have a policy in place for our users to limit them access to AWS without having MFA enabled on their account. So currently everyone is forced to enable MFA on their account and use that whenever they login to AWS and need to access anything. This all works ok and no issue.

The problem we have is we use Cyberduck to access our AWS S3 buckets and currently we are using Access Keys and Secret Keys within Cyberduck to explore S3 buckets. When MFA is enabled on user account, Cyberduck won't let connecting to S3 and keeping failing and as soon as we disable MFA on that same account we are able to connect to S3 through Cyberduck with same Access Key and Secret Key.

Do you guys have any thought how we can work around this and force everyone have MFA enabled on their account but being able to access S3 buckets using their own Access Key and Secret Key while MFA enabled?

It would be great if anyone of you could help and have had the same scenario.

Any alternative solution is welcome.

I should also mention that the users who are gonna connect to S3 and browse through buckets are not tech people and they cannot do much technical stuff. So we are after a simple solution for this please.

Thank you guys.

1 answers

solution1
 1  2021-06-02 12:15:07

Option 1: Call STS get-session-token

You will need to use the Security Token Service (STS) command to get-session-token while providing an MFA code. This will then return a new set of temporary IAM credentials that Cyberduck can use. Unfortunately, you will need to do this each time because Cyberduck is not capable of prompting for the MFA token.

See: Authenticate access using MFA through the AWS CLI

Option 2: Configure Cyberduck to Assume Role with MFA

From help/en/howto/s3 – Cyberduck , it appears that you can configure an IAM Role in the AWS credentials file and also specify an MFA:

   [testuser]
   aws_access_key_id=<access key for testuser>
   aws_secret_access_key=<secret key for testuser>
   [testrole]
   role_arn=arn:aws:iam::123456789012:role/testrole
   source_profile=testuser
   mfa_serial=arn:aws:iam::123456789012:mfa/testuser

It basically attempts to Assume a Role while specifying the MFA serial number. I haven't tried that method, so I'm not sure how Cyberduck prompts for the MFA value. Give it a try and let us know how it went for you!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Enable AWS S3 MFA delete with the console AWS S3 bucket MFA enable Use NiFi to write into AWS S3 Bucket with MFA enabled How to disable MFA delete on your S3 bucket through AWS CLI? AWS CLI and S3 browsers not working after enabling Force_MFA Using AWS Terraform How to enable s3 backend authentication with assumed role MFA credentials I can use CyberDuck to connect to S3 Bucket, but I cannot programmatically connect Connecting to AWS with Cyberduck/FileZilla/PuTTY aws s3Client PutObject Access Denied, but CyberDuck can PutObject Successfully Enabling MFA delete on S3 Bucket from CloudFormation template
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM