Connect to S3 with web identity federation

The latest versions of Cyberduck & Mountain Duck now allow to connect to S3 by authenticating with an OpenID Connect (OIDC) identity provider.

Connections to S3 with web identity federation use AWS Security Token Service (STS) API to obtain temporary security credentials to authenticate with S3.

With web identity federation, you don’t need to (…) manage your own user identities. Instead, users of your app can sign in using a well-known external OpenID Connect (OIDC)-compatible IdP. They can receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure, because you don’t users to have long-term security credentials.

Default connection profiles for Google and Azure

Default connection profiles are provided to use Google or Azure AD as an identity provider in conjunction with AWS.

These default profiles will prompt users for the Role ARN configured in AWS IAM referencing the trust relationship configured with the identity provider. Assigned by AWS this has a format similar to arn:aws:iam::930717317329:role/my-role-name.

Configuration in AWS IAM

  1. Add an identity provider in IAM. Refer to the documentation from AWS.
  2. Assign a role. The role is crucial as it contains both the trust relationship with the identity provider and permission policy:
  • The trust policy restricts access to users authenticated with a specific identity provider and allows to filter for specific users in the Condition statement with access to the JSON Web Token (JWT) claims that can be matched.
  • With the permission policy attached it limits access to a predefined set of buckets or keys.

Refer to the AWS documentation on Creating a role for web identity or OpenID Connect Federation.

The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role’s trust policy. The call to AssumeRoleWithWebIdentity should include the ARN of the role that is specific to the provider through which the user signed in.

Custom Integration

We have made available documentation to write your own connection profile for different combinations of S3/STS and identity provider such as MinIO S3 authenticating with MinIO STS and Keycloak (OIDC).

Documentation

Refer to our S3 documentation.

S3 Authentication with IAM Role credentials

This is a technical post for users that are familiar with AWS EC2.

When you are launching an EC2 instance you can assign it with an IAM role with specific permissions to AWS resources. This enables you to use security credentials on EC2 to access S3 that are temporary and rotated automatically. Refer to IAM Roles for Amazon EC2.

We have now added a login option to the current snapshot builds of 4.7 available through a connection profile that allows to connect from EC2 with Cyberduck on Windows or the CLI version on Linux instances with IAM role credentials obtained from instance metadata.

The S3 (Temporary Credentials) profile can be installed from the wiki. See Connecting with temporary access credentials from EC2. Make sure to edit the role name in the profile to match your IAM configuration.

AWS Authentication with IAM Role on EC2

We think this will make deployments of the duck to EC2 a lot easier without the need to distribute credentials along with.

Enable server side encryption for AWS S3

The latest snapshot build of Cyberduck for Mac & Windows allows the configuration of server side encryption for files in Amazon S3. Server side encryption provides you the ability to encrypt data stored in Amazon S3. You can encrypt data on upload simply by selecting AES256 as the default encryption algorithm for uploads to S3 in the Preferences or selecting the checkbox in the Info panel for data already uploaded. Decryption happens automatically when data is retrieved.

CloudFront for the rest of us with custom origins

Configuring a bucket in S3 to make its content available through the Amazon CloudFront CDN (Content distribution network) was always most straight forwarded in Cyberduck. Both distributions for static files and streaming can be configured using the Distribution tab of the Info panel when connected to your S3 account with a snap.

Because Amazon has now lifted the requirement to upload your content to S3 to make it available in CloudFront, their powerful CDN feature can now be used with any server used as the origin source for content. This is especially useful for content generated only on demand or where your workflow just doesn’t allow to upload content additionally to S3.

As of the latest beta and snapshot builds of Cyberduck, you can connect to any server using FTP or SFTP and configure it as the origin of a new Amazon CloudFront CDN distribution. We expect this to make CloudFront a lot more popular for users that are tied to existing server resources but want to make us of content distribution in the cloud.

Detailed usage instructions can be found in the help wiki. Give it a try!

Versioning

Amazon S3, the cloud storage service Cyberduck can connect to, supports a versioning feature. This allows to revert to previous revisions of a file replaced in S3. The latest snapshot build of Cyberduck supports versioning in S3 in the following way:

  • Toggle the versioning status using File → Info → S3
  • Display previous versions and deleted files in the browser using View → Show Hidden Files. Past revisions are displayed in a grey text colour and can be downloaded or permanently deleted like regular files.
  • Revert files to a previous version using File → Revert or the Browser context menu.
  • Optionally enabling Multi-Factor Authentication (MFA) Delete