S3 - Use credentials from environment variables

Rather than rely on hardcoded credentials, it would be excellent if WinSCP supported credentials stored in the default AWS environment variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY

Thanks for your suggestion.
We will see, if more people ask for this.

The AWS CLI stores user credentials in a file and it would be ideal if that same file could be used to authenticate to S3 in WinSCP.

The file is located at C:\Users\<Username>\.aws\credentials Here's a link to the documentation:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

The file is plain text and contains the access key, secret access key, and session token (only needed for temporary credentials). You can have 1 or more profiles in the file identified by a name enclosed in []. See example below.

It would be awesome to have an option just enter the profile name (i.e. abc) in the S3 settings that will reference the corresponding keys in the credential file.

Thanks for your consideration!

geo590 wrote:

The AWS CLI stores user credentials in a file and it would be ideal if that same file could be used to authenticate to S3 in WinSCP.

Thanks for this suggestion too. We will see what other users prefer.

I would strongly request this. I used winscp for years, but had to switch to cyberduck when our company went to this scheme for AWS credentials. I don't like cyberduck as well, but it does support this.
If you do implement this, best to have some kind of "Refresh" (credentials) button available, as the session token for us expires after 12 hours. Hopefully could continue to use same winscp session beyond life of one token, rather than having to close/restart.

This request has been added to the tracker:
https://winscp.net/tracker/1941

I'll send an email with a development version of WinSCP to both of you shortly. [Done]

I'm also interested in this feature. Is this in 5.18.3-RC? If not, I would love to test a development version with this commit.

No, it's not in 5.18.3. I've sent you the development version.

Thanks for sending me the development version.

It seems to work great in the GUI. I use aws-vault[0] to load the credentials into the environment. The current implementation requires to check the box: "Read credentials from AWS CLI configuration". I wonder if that is needed? I nicer user experience would be to search for the credentials in the order:
- session configuration
- environment variables
- AWS configuration files
- prompt for user input

Is there a way to use this feature in the automation interface (/script=script.txt)? Even with credentials in the environment, I still get prompted for access key and secret. Ideally this would also support searching for credentials in the order:
- s3 URL (s3://accesskey:secret/s3.amazonaws.com/bucketname/)
- environment variables
- AWS configuration files
- prompt for user input

This would be in line with how the AWS SDK[1] behaves. Just for my curiosity, may I ask why you are using a fork of libs3 over the official AWS SDK? The license? Or the size?

[0] https://github.com/99designs/aws-vault
[1] https://github.com/aws/aws-sdk-cpp

Thanks, and keep up the good work!

christoph.gysin wrote:

The current implementation requires to check the box: "Read credentials from AWS CLI configuration". I wonder if that is needed? I nicer user experience would be to search for the credentials in the order:
...

Imo, the current behaviour goes better with the GUI interface.
Let's see what others think.

Is there a way to use this feature in the automation interface (/script=script.txt)? Even with credentials in the environment, I still get prompted for access key and secret.

Use S3CredentialsEnv raw session settings:

Just for my curiosity, may I ask why you are using a fork of libs3 over the official AWS SDK? The license? Or the size?

It's long time, since I've made the decision. But I believe it was the size and the dependencies.