Connect to S3 authenticating with Microsoft Entra ID
Use Microsoft Entra ID to authenticate with S3 by configuring as an OpenID Connect (OIDC) Identity Provider in AWS IAM.
Tip
Refer to Custom connection profile using OpenID Connect provider and AssumeRoleWithWebIdentity STS API for custom configuration of connection profiles using OIDC web identity federation to connect to AWS S3.
Configuration in Microsoft Entra ID
Create an application in the Microsoft Entra ID portal and configure it as an OIDC Identity Provider.
Navigate to Entra ID → → App registrations in the Microsoft Entra ID portal and choose New registration.
In Authentication, add a redirect URI with the value
x-cyberduck-action://oauthto allow authentication with Cyberduck.In Authentication, add a redirect URI with the value
x-mountainduck-action://oauthto allow authentication with Mountain Duck.Copy the OAuth Client ID from Overview → Essentials → Application (client) ID.
Configuration in AWS IAM
Create an OIDC identity provider
In AWS IAM console add a new identity provider in Identity providers.
Configure the provider as type OpenID Connect with the provider URL set to
https://login.microsoftonline.com/<TENANT-ID>/v2.0. Replacewith your Microsoft Entra ID tenant ID. Copy the ARN for the next step. Set the Audience to the Application (client) ID from Microsoft Entra.
Create a role
Assign a role to the identity provider created in the previous step with permissions to access S3.
In AWS IAM console add a new role.
Choose Assign role followed by Create a new role with a Web identity trusted entity type. It should have Identity provider and Audience options prefilled with the ARN of the identity provider and Client ID from Microsoft Entra.
The resulting trust policy will look similar to the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/login.microsoftonline.com/<TENANT-ID>/v2.0" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "login.microsoftonline.com/<TENANT-ID>/v2.0:aud": "<Application (client) ID>" } } } ] }
Tip
The
<ACCOUNT_ID>is replaced with your AWS account ID and<Application (client) ID>with the OAuth Client ID of the application you created in the previous step. ForFederated, the ARN of the identity provider you created in the previous step is set. For the conditionauduse the application client ID of the application you created in the previous step.In the next step attach a permission policy to the role such as the managed policy
AmazonS3FullAccess.Copy the Role ARN from the Summary tab.
Create a bookmark in Cyberduck or Mountain Duck
Open Preferences… → Profiles in Cyberduck or Mountain Duck.
Enable the AWS S3 (Microsoft Entra) connection profile.
Add a new Bookmark in Cyberduck or Mountain Duck and choose AWS S3 (Microsoft Entra) in the protocol dropdown.
Enter the Application (client) ID from the application registration in Microsoft Entra for OAuth Client ID when prompted. It will be saved in the bookmark as a custom property.
Tip
The OAuth Client ID is the same as the Application (client) ID from the application registration in Microsoft Entra.
Note
Alternatively set
OAuth Client IDin a custom connection profile.Enter the Role ARN from the previous step when prompted. It will be saved in the bookmark as a custom property.
Note
Alternatively set
role_arnas a custom property in a custom connection profile.
Troubleshooting
Not authorized to perform sts:AssumeRoleWithWebIdentity
Validate the Trusted entities in Trust relationships in the IAM console.
Request ARN is invalid
The role ARN entered is not valid.
The security token included in the request is invalid
Invalid client token ID. Check the OAuth Client ID in the connection profile.