0

I have AWS account A and my customer has assigned me a IAM role to access thier AWS account B s3 bucket. Here is the info I have: Account A: accessKeyId that starts with AKIA******** and SecretAccessKey. Account B: I am able to generate accessKeyId that startd with ASIA****, SecretAccessKey and sessionToken.

I want to know how I can uses these info to access bucket of account B via HTTP API, I cannot use sdk.

I followed this for Signature calculation: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html

I am able to create a Authorization: header that works fine when I access account A with it's keyId and secretKey, but I cannot access account B with the generated keyId(AISA****) and SecretAccessKey. How to use sessionKey here? I didn't find relevant document.

Here is the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::##########:user/#####"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "sts:ExternalId": "#########"
                }
            }
        }
    ]
}

Here is what I am using in which creating HTTP Authorization header.

Host: s3.us-east-2.amazonaws.com
x-amz-date: 20230516T212805Z"
x-amz-content-sha256:###################
Authorization: AWS4-HMAC-SHA256 `Credential=ASIA##############/20230516/us-east-2/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=##############################`

Authorization header is create using temporary keyId(ASIA****) and secretKey

#Updated request after adding x-amz-security-header

X-Amz-Content-Sha256: 44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072
Host: s3.us-east-2.amazonaws.com
X-Amz-Security-Token: FwoGZXIvYXdzEDcaDCnx1E****************
X-Amz-Date: 20230517T214836Z
Authorization: AWS4-HMAC-SHA256 Credential=ASIA######/20230517/us-east-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=368ceac########
Content-Type: text/plain
User-Agent: PostmanRuntime/7.32.2
Accept: */*
Postman-Token: 3114d46a-9ecb-4aa7-8824-4fbaf4b6d534
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 21

Response:

<Error><Code>InvalidToken</Code><Message>The provided token is malformed or otherwise invalid.</Message><Token-0>FwoGZXIv*******</Token-0
Nabz C
  • 538
  • 1
  • 9
  • 28
  • Can you post a [mre] of how you're calculating the signature? As a guess, you need to include the `x-amz-security-token` header, but without details, we can only guess. – Anon Coward May 17 '23 at 18:28
  • @AnonCoward, added my header info. For `x-amz-security-token` -> do I need to use the `sessionKey` here? – Nabz C May 17 '23 at 18:35
  • 1
    Yes, and include it in the signature process. – Anon Coward May 17 '23 at 18:37
  • I tried with both secret key: One that the account A has `AKIA****` and the one I generated for account B with `sessionKey:` and starts with `ASIA***`. for both I am getting same error: `InvalidTokenThe provided token is malformed or otherwise invalid.` This is after using `x-amz-security-token`. I tested with my code and Postman. – Nabz C May 17 '23 at 21:39
  • 1
    Ok, again, please provide a minimal reproducible example of your efforts, otherwise, we can only guess what's going wrong. – Anon Coward May 17 '23 at 21:45
  • Added my request with new header and the response – Nabz C May 17 '23 at 21:54
  • @AnonCoward you suggestion worrked. The session key has some unicode char at the end `\u003d\u003d` after changing them to `==`, it worked. – Nabz C May 18 '23 at 18:28

0 Answers0