S3 - Use credentials from environment variables

Advertisement

ed
Guest

S3 - Use credentials from environment variables

Rather than rely on hardcoded credentials, it would be excellent if WinSCP supported credentials stored in the default AWS environment variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY

Reply with quote

Advertisement

geo590
Joined:
Posts:
1
Location:
Akron, OH

Re: S3 - Use credentials from environment variables

The AWS CLI stores user credentials in a file and it would be ideal if that same file could be used to authenticate to S3 in WinSCP.

The file is located at C:\Users\<Username>\.aws\credentials Here's a link to the documentation:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

The file is plain text and contains the access key, secret access key, and session token (only needed for temporary credentials). You can have 1 or more profiles in the file identified by a name enclosed in []. See example below.

It would be awesome to have an option just enter the profile name (i.e. abc) in the S3 settings that will reference the corresponding keys in the credential file.

Thanks for your consideration!
[default]
aws_access_key_id=xxx
aws_secret_access_key=xxx
 
[abc]
aws_access_key_id=xxx
aws_secret_access_key=xxx
aws_session_token="xxx"

Reply with quote

martin
Site Admin
martin avatar

Re: S3 - Use credentials from environment variables

geo590 wrote:

The AWS CLI stores user credentials in a file and it would be ideal if that same file could be used to authenticate to S3 in WinSCP.
Thanks for this suggestion too. We will see what other users prefer.

Reply with quote

lewellej
Joined:
Posts:
8

Re: S3 - Use credentials from environment variables

I would strongly request this. I used winscp for years, but had to switch to cyberduck when our company went to this scheme for AWS credentials. I don't like cyberduck as well, but it does support this.
If you do implement this, best to have some kind of "Refresh" (credentials) button available, as the session token for us expires after 12 hours. Hopefully could continue to use same winscp session beyond life of one token, rather than having to close/restart.
Last edited by lewellej on 2021-01-08 19:15; edited 1 time in total

Reply with quote

Advertisement

christoph.gysin
Joined:
Posts:
2

Thanks for sending me the development version.

It seems to work great in the GUI. I use aws-vault to load the credentials into the environment. The current implementation requires to check the box: "Read credentials from AWS CLI configuration". I wonder if that is needed? I nicer user experience would be to search for the credentials in the order:
  • session configuration
  • environment variables
  • AWS configuration files
  • prompt for user input
Is there a way to use this feature in the automation interface (/script=script.txt)? Even with credentials in the environment, I still get prompted for access key and secret. Ideally this would also support searching for credentials in the order:
  • s3 URL (s3://accesskey:secret/s3.amazonaws.com/bucketname/)
  • environment variables
  • AWS configuration files
  • prompt for user input
This would be in line with how the AWS SDK behaves. Just for my curiosity, may I ask why you are using a fork of libs3 over the official AWS SDK? The license? Or the size?

Thanks, and keep up the good work!

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,441
Location:
Prague, Czechia

christoph.gysin wrote:

The current implementation requires to check the box: "Read credentials from AWS CLI configuration". I wonder if that is needed? I nicer user experience would be to search for the credentials in the order:
...
Imo, the current behaviour goes better with the GUI interface.
Let's see what others think.

Is there a way to use this feature in the automation interface (/script=script.txt)? Even with credentials in the environment, I still get prompted for access key and secret.
Use S3CredentialsEnv raw session settings:
open s3://s3.amazonaws.com/ -rawsettings S3CredentialsEnv=on

Just for my curiosity, may I ask why you are using a fork of libs3 over the official AWS SDK? The license? Or the size?
It's long time, since I've made the decision. But I believe it was the size and the dependencies.

Reply with quote

pspot5
Guest

Hi,

thanks a lot for this, a really nice and modern feature.

I noticed that some important pieces are missing:

1) There is no possibility to choose the profile name. Looks like by default the [default] profile is read. In reality people would probably have several profiles in their .aws\credentials and the default profile would probably not be the one they'd want to use for WinSCP.

2) Not strictly related to AWS authentication, but related to S3: I haven't found a way to configure a KMS key for encrypting uploaded objects. Nowadays modern S3 security policies prohibit the upload of any unencrypted objects, meaning that, for example, with AWS CLI you need to add the following parameters to your
aws s3 cp' command: '--sse aws:kms --sse-kms-key-id "alias/my-key-alias"
Cheers

Reply with quote

Advertisement

You can post new topics in this forum