How to access S3 via Temporary Security Credentials
An AWS Account or an IAM user can request temporary security credentials and use them to access Amazon S3.
The credentials consist of an Access Key ID, a Secret Access Key, and a Security Token.
Temporary security credentials are obtained from AWS Security Token Service (AWS STS) by sending the
AssumeRole
or GetSessionToken call.
With S3 Browser you can easily work
with Amazon S3 via temporary security credentials, it calls
AssumeRole
or GetSessionToken automatically when required.
Once obtained, temporary security credentails are cached in memory and used until they expire,
then the next STS call is sent.
To connect Amazon S3 via STS GetSessionToken
1. Start S3 Browser and click Accounts -> Add New Account.
Click Accounts -> Add New Account
The Add New Account dialog will open:
New Amazon S3 via GetSessionToken account dialog.
2. Choose the Amazon S3 via GetSessionToken account type
3. Select the Source Account - an account for calling GetSessionToken.
The GetSessionToken operation must be called by using the long-term AWS security credentials
of the AWS account root user or an IAM user
4. Turn on the Use secure transfer (SSL/TLS) checkbox if you would like to encrypt all communications with the storage.
5. Click Add new account
You can now choose the newly added account from the Accounts menu:
Click Accounts -> Account Name to switch between accounts.
Advanced Settings
You may also configure additional settings for the Amazon S3 via GetSessionToken account type.
To open Advanced Settings please click the Advanced settings.. link located at the bottom-left corner of the dialog.
Click the Advanced settings.. link
The Advanced Account Settings dialog will open:
GetSessionToken
Advanced Account Settings dialog, the GetSessionToken tab
1. MFA Serial - an optional field, the identification number of the MFA device
that is associated with the user who is making the GetSessionToken call.
Specify it if the user has a policy that requires MFA authentication or leave it empty
2. Session duration in seconds - the duration in seconds, that temporary credentails should remain valid.
Advanced Account Settings dialog, the Miscellaneous tab
Miscellaneous
Enable Dual-Stack Endpoints (IPv4/IPv6) - When checked, S3 Browser will use dual-stack endpoints
to access storage, allowing connections over both IPv4 and IPv6.
This improves compatibility with networks that support IPv6.
List All My Buckets When Account Assigned - When checked, S3 Browser will perform the
s3:ListAllMyBuckets call when the account is assigned. If the account does not have permission
to list all buckets, you can uncheck this option to avoid failed tasks and warnings in the log.
Check CloudFront Distributions When Account Assigned - When checked, S3 Browser will perform the
cloudfront:ListDistributions call when the account is assigned, allowing it to set a special
icon for buckets used as origins for CloudFront distributions. If the account does not have permission to
list CloudFront distributions, you can uncheck this option to avoid failed tasks and warnings in the log.
External Buckets - You can edit the external buckets associated with the account. Each bucket should be listed on a new line.
Optional paths are also supported, with a slash used as the delimiter (e.g., my-bucket/and/optional/path).
|
