support for aws_session_token

GoogleCloudPlatform / gsutil

A command line tool for interacting with cloud storage services.

Apache License 2.0

869 stars 332 forks source link

support for aws_session_token #535

Open nathankw opened 6 years ago

nathankw commented 6 years ago

Hi, I'm using gsutil v. 4.3.1 and there isn't any apparent support for the AWS_SESSION_TOKEN, which is a required configuration setting when working with AWS pre-signed URLs.

Use case: I'm trying to upload an object from a GCP bucket (in my account) to S3. I have been provided with an AWS pre-signed URL and corresponding credentials that include

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN

I have tested with these variables in the .boto file, and even in different tests as environment variables, and the response I get is "403 AccessDenied" when running my cp command that is of the form

gsutil cp gs://mybucket/obj s3://s3bucket/obj

Things work fine when not using a pre-signed URL. After lots of testing, I wanted to verify that the AWS_SESSION_TOKEN is not supported, and to request for such support.

Thanks, -Nathan

nathankw commented 6 years ago

Hi, Just wanted to check back. Is this something that could make it to the feature list? Let me know if you need anymore details.

houglum commented 6 years ago

It looks like there are two asks here, neither of which gsutil supports at the moment:

Uploading to a GCS Signed URL or an S3 Pre-Signed URL
Adding support for AWS_SESSION_TOKEN (I also mentioned this in the Stackoverflow post at [1], which mentions this is unlikely because it's not supported in the Boto library).

[1] https://stackoverflow.com/questions/51353850/configure-gsutil-boto-file-to-use-aws-sts-assume-role

iampat commented 5 years ago

The last answer is from Aug 2018. Is there any update since then?

catleeball commented 5 years ago

These features would rely on us extending or decoupling from the old deprecated boto library. Currently we have it on our roadmap to explore our relationship with boto and possibly decoupling from it, along with swapping oath2client with google-auth and swapping httplib2 with requests library.

Likely this would be explored after we figure out and implement a path away from boto. These dependency changes are currently goals for us, although the boto change is a slightly lower priority than the oauth2client -> google-auth change.

Likewise, gsutil is transitioning maintainers, which may mean reprioritizing goals depending on the new owner's priorities and roadmap.

In short, we will definitely keep you updated on this! We have not forgotten you. :slightly_smiling_face:

Edit [2022-04-21]: I'm not on the gsutil team anymore, but the team should still be tracking this issue!

arinto commented 4 years ago

Any updates on this feature?

ggiill commented 4 years ago

+1 - It would be extremely useful to be able to sync from S3 (with an STS Assumed Role) to GCS using gsutil.

windmark commented 2 years ago

Hi, are there any updates on supporting the AWS_SESSION_TOKEN?

With the ubiquity of using assumed roles nowadays, the s3 support in gsutil is crippled without this.

Update: I fixed this by setting the AWS_SECURITY_TOKEN. This is a legacy key for the session token, see documentation here, https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_environment.html