How to load AWS Credentials and AWS SSO session profiles from AWS Config or Credential file.
S3 Browser
Free Windows Client for Amazon S3 and Amazon CloudFront
 
Follow


AWS Credentials from AWS Config and Credentials Files


Overview

S3 Browser can load Amazon S3 credentials and temporary session tokens from AWS config and credentials files. This is useful if you already manage profiles with AWS CLI or other AWS tools and want S3 Browser to use the same profile definitions instead of entering access keys manually.

This account type supports regular access-key profiles, temporary session-token profiles, and AWS CLI profiles that use IAM Identity Center (AWS SSO) session-based authentication. If a profile uses an SSO session, sign in with AWS CLI first, then open the profile in S3 Browser.


AWS Credentials File

The AWS credentials file is usually stored in %USERPROFILE%\.aws\credentials and has the following format: 

[default]
 aws_access_key_id=ACCESS_KEY
 aws_secret_access_key=SECRET_KEY
 aws_session_token=TOKEN

The file may contain multiple profiles: 

[default]
 aws_access_key_id = ACCESS_KEY
 aws_secret_access_key = SECRET_KEY
 aws_session_token = TOKEN
 
[Alice]
 aws_access_key_id = Alice_access_key_ID
 aws_secret_access_key = Alice_secret_access_key
 
[Bob]
 aws_access_key_id = Bob_access_key_ID
 aws_secret_access_key = Bob_secret_access_key

You may specify the profile name when configuring account properties.


AWS Config File

The AWS config file is usually stored in %USERPROFILE%\.aws\config and has the following format: 

[default]
 aws_access_key_id = ACCESS_KEY
 aws_secret_access_key = SECRET_KEY
 aws_session_token = TOKEN
 
[profile Alice]
 aws_access_key_id = Alice_access_key_ID
 aws_secret_access_key = Alice_secret_access_key
 
[profile Bob]
 aws_access_key_id = Bob_access_key_ID
 aws_secret_access_key = Bob_secret_access_key

The config file uses the same format as the credentials file, except for profile section names. Profile sections must use the format [profile profile-name], except for the default profile.


IAM Identity Center (AWS SSO) Session Profiles

S3 Browser can also use AWS CLI profiles configured with sso_session. This is useful when several AWS accounts or roles share the same IAM Identity Center login session. 

[profile Alice]
 sso_session = AliceSession
 sso_account_id = 123456789012
 sso_role_name = AdministratorAccess
 region = eu-west-1

[sso-session AliceSession]
 sso_start_url = https://example.awsapps.com/start
 sso_region = eu-west-1
 sso_registration_scopes = sso:account:access

Before opening the account in S3 Browser, sign in with AWS CLI: 

aws sso login --sso-session=AliceSession

S3 Browser uses the cached AWS CLI SSO token to request role credentials for the selected profile. If the cached SSO session expires and cannot be refreshed, run aws sso login for the session again.


Supported Profile Settings

The following settings are supported in both the AWS credentials file and the AWS config file:

  • aws_access_key_id - AWS access key ID.
  • aws_secret_access_key - AWS secret access key.
  • aws_session_token - AWS session token. A session token is only required if you are using temporary security credentials.
  • aws_security_token - legacy name for the AWS session token.
  • sso_session - AWS CLI SSO session name configured in the [sso-session session-name] section.
  • sso_account_id - AWS account ID that contains the IAM role you want to use.
  • sso_role_name - IAM role name to use with the selected AWS account.
  • sso_start_url - IAM Identity Center start URL in the [sso-session session-name] section.
  • sso_region - AWS Region that contains the IAM Identity Center portal host.

You may also use the following setting to specify a custom S3 endpoint:

  • s3_endpoint - a custom S3 endpoint, for example my.custom.domain.com.

How to Add the Account

1. Start S3 Browser and click Accounts -> Add New Account.

click add new account menu item

Click Accounts -> Add New Account

The Add New Account dialog will open:

aws credentials from aws config file

Add New Account dialog.

2. Select Amazon S3 (Credentials from AWS Config or Credential file) as the account type.

3. Specify AWS Config or Credential file. If you leave this field empty, S3 Browser will look for the file in %AWS_CONFIG_FILE%, %USERPROFILE%\.aws\config, %AWS_SHARED_CREDENTIALS_FILE%, or %USERPROFILE%\.aws\credentials.

4. Specify Profile name. If you leave this field empty, S3 Browser will try to read the profile name from the %AWS_PROFILE% environment variable and use the default profile if the variable is empty.

If the selected profile uses sso_session, run aws sso login --sso-session=your-session-name before opening the account in S3 Browser.

5. Turn on Use secure transfer (SSL/TLS) if you would like to use an encrypted SSL/TLS channel.

6. Click Add new account.


You can now choose the newly added account from the Accounts menu:

how to switch between amazon s3 accounts

Click Accounts -> Account Name to switch between accounts.


Advanced Account Settings

You may also configure additional settings when adding a new account or editing an existing account.

To open advanced account settings, click the advanced settings link located at the bottom-left corner of the dialog.

The Advanced Account Settings dialog will open:

Advanced storage settings dialog

Advanced account settings

You may configure the following settings here:

Enable Dual-Stack Endpoints (IPv4/IPv6) - When checked, S3 Browser will use dual-stack endpoints to access storage, allowing connections over both IPv4 and IPv6. This improves compatibility with networks that support IPv6.

List All My Buckets When Account Assigned - When checked, S3 Browser will perform the s3:ListAllMyBuckets call when the account is assigned. If the account does not have permission to list all buckets, you can uncheck this option to avoid failed tasks and warnings in the log.

Check CloudFront Distributions When Account Assigned - When checked, S3 Browser will perform the cloudfront:ListDistributions call when the account is assigned, allowing it to set a special icon for buckets used as origins for CloudFront distributions. If the account does not have permission to list CloudFront distributions, you can uncheck this option to avoid failed tasks and warnings in the log.

External Buckets - You can edit the external buckets associated with the account. Each bucket should be listed on a new line. Optional paths are also supported, with a slash used as the delimiter (e.g., my-bucket/and/optional/path).

S3 Browser 13.3.5 Freeware
Powered by Amazon Web Services and Rated by CNET Editors!
Social Connection
 
People like S3 Browser!
People like us
Our customers say

"S3 Browser is an invaluable tool to me as a web developer to easily manage my automated site backups" -Bob Kraft, Web Developer

"Just want to show my appreciation for a wonderful product. I use S3 Browser a lot, it is a great tool." -Gideon Kuijten, Pro User

"Thank You Thank You Thank You for this tool. A must have for anyone using S3!" -Brian Cummiskey, USA

Related Products
TntDrive
Easily mount Amazon S3 Bucket as a Windows Drive.
RdpGuard
protects your Windows Server from RDP Brute-force Attacks.
"Amazon Web Services", "AWS", "Amazon S3", "Amazon Simple Storage Service", "Amazon CloudFront", "CloudFront", the "Powered by Amazon Web Services" logo are trademarks of Amazon.com, Inc. or its affiliates in the US and/or other countries.
Copyright © 2008-2026 Netsdk Software FZE. All rights reserved.  Terms of Use.  Privacy Policy.  S3 Drive.  RDP brute-force protection.