We have a policy in place for our users to limit them access to AWS without having MFA enabled on their account. So currently everyone is forced to enable MFA on their account and use that whenever they login to AWS and need to access anything. This all works ok and no issue.
The problem we have is we use Cyberduck to access our AWS S3 buckets and currently we are using Access Keys and Secret Keys within Cyberduck to explore S3 buckets. When MFA is enabled on user account, Cyberduck won't let connecting to S3 and keeping failing and as soon as we disable MFA on that same account we are able to connect to S3 through Cyberduck with same Access Key and Secret Key.
Do you guys have any thought how we can work around this and force everyone have MFA enabled on their account but being able to access S3 buckets using their own Access Key and Secret Key while MFA enabled?
It would be great if anyone of you could help and have had the same scenario.
Any alternative solution is welcome.
I should also mention that the users who are gonna connect to S3 and browse through buckets are not tech people and they cannot do much technical stuff. So we are after a simple solution for this please.
Thank you guys.
Option 1: Call STS get-session-token
You will need to use the Security Token Service (STS) command to
get-session-token
while providing an MFA code. This will then return a new set of temporary IAM credentials that Cyberduck can use. Unfortunately, you will need to do this each time because Cyberduck is not capable of prompting for the MFA token.See: Authenticate access using MFA through the AWS CLI
Option 2: Configure Cyberduck to Assume Role with MFA
From help/en/howto/s3 – Cyberduck, it appears that you can configure an IAM Role in the AWS credentials file and also specify an MFA:
It basically attempts to Assume a Role while specifying the MFA serial number. I haven't tried that method, so I'm not sure how Cyberduck prompts for the MFA value. Give it a try and let us know how it went for you!