Connect to S3 authenticating with Google Cloud

Use Google Cloud to authenticate with S3 by configuring as an OpenID Connect (OIDC) Identity Provider in AWS IAM.

Tip

Refer to Custom connection profile using OpenID Connect provider and AssumeRoleWithWebIdentity STS API for custom configuration of connection profiles using OIDC web identity federation to connect to AWS S3.

Requirements

• Cyberduck 9.3.0 or later required

• Mountain Duck 5.1.0 or later required

Configuration in Google Cloud Console

Create an OAuth application in the Google Cloud Console and configure it as an OIDC Identity Provider.

Setup a Custom OAuth Client ID Tutorial

Follow the step-by-step instructions to Setup a Custom OAuth Client ID for Google.

1. Navigate to Solutions → All products → Management → Google Auth Platform → Clients in the Google Cloud Console and choose Create client → OAuth client ID.

2. Select iOS as the application type.

   Important

   Other types require a OAuth Client Secret and do not allow for a supported redirect URI.

3. Enter io.cyberduck for use with Cyberduck or io.mountainduck to use with Mountain Duck for the Bundle ID.

4. Copy the OAuth Client ID from the credentials screen.

Configuration in AWS IAM

Create an OIDC identity provider

Tip

Google is already built-in to AWS as a trusted OIDC identity provider. Instead of using a ARN you can reference the built-in Google IdP in a role with accounts.google.com.

Create a role

Assign a role to the identity provider created in the previous step with permissions to access S3.

1. In AWS IAM console, choose Create Role in Roles.

2. Select Web identity as the trusted entity type.

3. Select Google as the Identity Provider.

4. Enter the OAuth Client ID from the application registration in Google Cloud Console for Audience.

5. The resulting trust policy will look similar to the following:

   {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Principal": {
               "Federated": "accounts.google.com"
           },
           "Action": "sts:AssumeRoleWithWebIdentity",
           "Condition": {
               "StringEquals": {
                   "accounts.google.com:aud": "<OAuth Client ID>.apps.googleusercontent.com"
               }
           }
       }
   ]
   }
   

6. In the next step attach a permission policy to the role such as the managed policy AmazonS3FullAccess.

7. Copy the Role ARN from the Summary tab.

Create a bookmark in Cyberduck or Mountain Duck

1. Open Preferences… → Profiles in Cyberduck or Mountain Duck.

2. Enable the AWS S3 (Google OpenID Connect) connection profile.

3. Add a new Bookmark in Cyberduck or Mountain Duck and choose AWS S3 (Google OpenID Connect) in the protocol dropdown.

4. Enter the OAuth Client ID from the application registration in Google Cloud Console for OAuth Client ID when prompted. It will be saved in the bookmark as a custom property.

   

   Tip

   The OAuth Client ID is the same as the OAuth Client ID from the application registration in Google Cloud Console with the .apps.googleusercontent.com suffix.

   Note

   Alternatively set OAuth Client ID in a custom connection profile.

5. Enter the Role ARN from the previous step when prompted. It will be saved in the bookmark as a custom property.

   Note

   Alternatively set role_arn as a custom property in a custom connection profile.

   

Troubleshooting

Not authorized to perform sts:AssumeRoleWithWebIdentity

Validate the Trusted entities in Trust relationships in the IAM console.

Request ARN is invalid

The role ARN entered is not valid.

The security token included in the request is invalid

Invalid client token ID. Check the OAuth Client ID in the connection profile.

References

• AWS Identity and Access Management → OIDC federation

• Google Identity Platform → OpenID Connect