Implement support for Amazon STS

[bwalding]

Use Case

• users are configured in a single AWS account - account-master
• they change roles into the target account using Amazon STS - e.g. account-child as s3manipulator

Mechanics

The mechanics of this is relatively simple

• load base AWS credentials (or issue ephemeral credentials from EC2 metadata)
• use credentials to acquire a second set of credentials using AssumeRole
• use the new credentials to interact with S3

The configuration that is supplied is an IAM role to the AssumeRole API call - arn:aws:iam::<ACCOUNT>:role/<ROLE>.

An MFA token can be supplied at this stage if the target role requires one.

Related documentation

http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html

(I have created this ticket as I could find no information on how this is done in s3cmd, and wanted to create a lightning rod for discussion / patches etc - it is probable that I will implement this functionality if no one else has - it is generally quite easy to implement)

[cixelsyd]

Hello. Did you receive any input here from the s3cmd people? I have the exact same use case. I (briefly) read through the s3cmd code and it still does not appear to contain STS support. Support for STS would be greatly appreciated, and an excellent addition to the product!

[fviard]

@bwalding @cixelsyd Thanks for your messages.
I'm not specialist at all in this area, but iam support is not enough to support STS?
Otherwise, maintainers (including me) are pretty busy at this moment, but patches are kindly welcome and I promise to try to give a fast review if you try to implement that.

[s4mx]

Some of my account profile is mfa enabled and it seems s3cmd supports profile (#906) but not mfa enabled profile.

[fviard]

Changes have been pushed to master (d761ead) to support STS with AssumeRole and AssumeRoleWebIdentity through the same aws cli env variables.

But, FYI, nothing was done to support mfa. Please open a new issue if "mfa" is something that you really need. Thanks