Allow Login to AWS Athena with Profile from Credentials File

Advertisement

Stusstrupp
Joined:
Posts:
4
Location:
Cologne, Germany

Allow Login to AWS Athena with Profile from Credentials File

For security reasons, organisations prefer users to access AWS services via an credentials provider and the assumption of a role rather than with static credentials with a user role. For locally installed applications, this is possible by copying the credentials provided by the organisation's SSO service into the local AWS configuration file:
# temporary credentials to access the AWS account for
# user role arn:aws:iam::123456789012:role/user-role-<userid>
# from here:
# https://myappcallingcognito.mydomain.com/ssocredentials
 
[my_temp_aws_account_credentials]
aws_access_key_id = ...
aws_secret_access_key = ...
aws_session_token = ...
 
[athena_access_project_x]
# user role arn:aws:iam::123456789012:role/user-role-<userid>
# needs to be set up to be able to assum efollowing role:
role_arn = arn:aws:iam::123456789012:role/project-x-read
source_profile = my_temp_aws_account_credential
region = eu-central-1
In order to login, the user then simply needs to enter the profile name ("athena_access_project_x" in this example) and is connected until the credentials expire. This also allows the organisation in question to manage their users in just one directory rather than also having to manage them in AWS IAM.

An option to connect to AWS Athena from WinSCP by entering the profile name from the credentials file would be greatly appreciated.

Reply with quote

Advertisement

Stusstrupp
Joined:
Posts:
4
Location:
Cologne, Germany

Re: Allow Login to AWS Athena with Profile from Credentials File

Hi,

Indeed we need to connect not just with the temporary credentials of the sso role (as assumed with [my_temp_aws_account_credentials] in the example) but with a particular role.

Our S3 repository is organised along projects. Rather than managing as many different user roles as we have different access permutations (just project a, just project b, both project a and b, project c, ...), we manage one role per project. Each of those project roles are then assigned the proper SSO roles in their trust relationship. That means that when a user logs in, he has to select the proper project role (athena_access_project_x in the example above).

AWS CLI allows to use preconfigured role assumption with the credentials file, as shown in the example and described in https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html, and our developers use this with VSCode. Data analysts however do not need a full fledged development IDE, so we wanted to offer them WinSCP.

Reply with quote

Stusstrupp
Joined:
Posts:
4
Location:
Cologne, Germany

Re: Allow Login to AWS Athena with Profile from Credentials File

Hi,

And thank you for you keeping at this request. Reading the corresponding forum entry to the request you mention (Allow S3 connection with IAM role instead of credentials), it seems to me that that requirement is similar, but not as simple as mine: It sounds as if that requirement is asking for the user to enter a role for an account that his access key points to.

I am just asking for WinSCP to allow entering the name of a profile out of his credentials file – maybe even select it from a list of profiles in that file. The role name would then be taken from the profile description within the credentials file (see example in original post).

In other words, I would like WinSCP to be able to use the --profile option of AWS CLI, e.g. like
aws s3api list-buckets --profile <profile name>

There were two feature requests I thought covered this, S3 - Use credentials from environment variables and Security Token Service support for AWS S3.

However, the implemented solution (Bug 1941 – Support reading S3 credentials from AWS CLI configuration) does not allow entering the profile name from the credentials file. It seems to me that just the default profile is being read, and then without any roles it is supposed to assume.

I am aware that you are using libs3 rather than AWS CLI and I have found no support of reading profiles or logging in with a role in its documentation.

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: Allow Login to AWS Athena with Profile from Credentials File

Thanks for the clarification. I'll look into it.

Reply with quote

martin
Site Admin
martin avatar

Re: Allow Login to AWS Athena with Profile from Credentials File

Would you be able to setup a test account, role and bucket for me? Or provide me step-by-step instructions (like aws commands) to do that myself?

Btw, I've implemented the profile selection already. But the "role" support is still pending.

Reply with quote

Stusstrupp

Re: Allow Login to AWS Athena with Profile from Credentials File

I have tried to get this approved by our IT security, however setting you up for our corporate AWS accounts would require a huge effort.

Reply with quote

Advertisement

You can post new topics in this forum