I couldn't mount s3 bucket using IAM role

What is the problem you are having with rclone?

I created credential from IAM role (access Id and secret access key), then I used this credential to mount s3 bucket, I follow the rclone document and finaly I gave rclone.exe lsd xxx: command
when I give this command I got the error.
I used aws cli to generate credential from IAM role

My Configuration:
[xxx]
type = s3
provider = AWS
env_auth = false
access_key_id =
secret_access_key =
region = eu-west-1
location_constraint = eu-west-1
storage_class = STANDARD

Error: 2021/03/22 09:46:19 ERROR : : error listing: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
status code: 403, request id: N9D8J113WW58H05Z, host id: xzFcRBt3YELKeFLhWtXM8KP14TOenNYHT1AQW75RcCHz02FBEOyuMw6FjErVHE3OkGFkFmvLE7c=
2021/03/22 09:46:19 Failed to lsd with 2 errors: last error was: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
status code: 403, request id: N9D8J113WW58H05Z, host id: xzFcRBt3YELKeFLhWtXM8KP14TOenNYHT1AQW75RcCHz02FBEOyuMw6FjErVHE3OkGFkFmvLE7c=

What is your rclone version (output from rclone version)

Which OS you are using and how many bits (eg Windows 7, 64 bit)

OS: windows 10, 64 bit latest

Which cloud storage system are you using? (eg Google Drive)

cloud storage: AWS s3

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone.exe lsd xxx:

The rclone config contents with secrets removed.

[xxx]
type = s3
provider = AWS
env_auth = false
access_key_id = <generated access id>
secret_access_key = <generated access key>
region = eu-west-1
location_constraint = eu-west-1
storage_class = STANDARD

A log from the command with the -vv flag

2021/03/22 09:46:19 ERROR : : error listing: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
        status code: 403, request id: N9D8J113WW58H05Z, host id: xzFcRBt3YELKeFLhWtXM8KP14TOenNYHT1AQW75RcCHz02FBEOyuMw6FjErVHE3OkGFkFmvLE7c=
2021/03/22 09:46:19 Failed to lsd with 2 errors: last error was: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
        status code: 403, request id: N9D8J113WW58H05Z, host id: xzFcRBt3YELKeFLhWtXM8KP14TOenNYHT1AQW75RcCHz02FBEOyuMw6FjErVHE3OkGFkFmvLE7c=

I presume you actually filled these in and didn't leave them blank?

The access_key and secret_access_key is the simplest form of auth so normally doesn't present any problem.

Can you double check the values you put in, and check there aren't any spaces on the end?

Thank you @ncw, I filled those fields but I didn't share those details here

There isn't a lot which can go wrong with access_key/secret_access_key

Your config should look like this (not real credentials!)

[s3]
type = s3
provider = AWS
access_key_id = AK768687K6GGGHKJH
secret_access_key = lksajUY987+nlkjsHGFFkje87987jhkj+kjhdHgkGlGf8
region = eu-west-2
location_constraint = eu-west-2

If you can't get it to work, try generating the credentials again - maybe that bit went wrong somehow?

Same issue I'm getting @ncw :pensive:

I'm using IAM role, pls consider this also @ncw, Using IAM role I'm generating the accesskey and accessId

Can you paste the aws clii command you used and the output (XXX out the keys)?

command:
aws sts assume-role --role-arn arn:aws:iam::420624090628:role/BST_To_APSdev_Developer --role-session-name "RoleSession1" --profile aps

output:
{
"Credentials": {
"AccessKeyId": "XXX",
"SecretAccessKey": "XXX",
"SessionToken": "XXX",
"Expiration": "2021-03-22T11:45:31+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAWD3ZGIYCN33P2WU44:RoleSession1",
"Arn": "arn:aws:sts::420624090628:assumed-role/BST_To_APSdev_Developer/RoleSession1"
}
}

command:
aws sts assume-role --role-arn arn:aws:iam::420624090628:role/BST_To_APSdev_Developer --role-session-name "RoleSession1" --profile aps

output:
{
"Credentials": {
"AccessKeyId": "xxx",
"SecretAccessKey": "xxx",
"SessionToken": "IQoJb3JpZ2luX2VjEGsaCWV1LXdlc3QtMSJGMEQCIElXouo42MxesdmAs9UFdo5YSvqusrgDYDmm/srFG9VuAiBhHbyoAn9rjpifD6buSE2r0LU4XQ7lMDlEtcHO9G1GayqiAgik//////////8BEAAaDDQyMDYyNDA5MDYyOCIM4RSXKRGy5utB5keTKvYB60w9W8bpT2qQVMuq3KNvrhP1eky0iqqsYm+nn/c1e1OFpfBC2rPklq1AMLa51tcaPNT2sshsdBmtlD3ahxtTLk65O4z/oCpDTYH5H2z3owpDdCOXa3fTYiyYf7ciKFEsnNQlO8rDAj8XQF3VqzA7OJDso71OqexVjql3YhXPqJZIE+xCdwXjObavIoiDfraC2GS8ej85QT8pgOXOlPjlVFz4Wr1o4yQSW2Cy1ZP0lRpOe2QhmUVPYoQIT1sOzvBNZxv/RTx6do7tWvY+C9bKHyw/ZIOD+nWLK+i3ULIs56talZI69O7hfh2rVFPVKuYpt2fVRPCxMMvfq4YIGOp4ByZaK7k3DcvmXcyYOhy34MdkVdXKCNesV945JZWDT7YNmnH5zYENDAa61YSPUCasxGjlxRH5E7bQWgqTb16AMA9HgIdLAanoGDZg2AUlRPN4vGajjMdKYcShVfTzmyCl0/vq1puLD3oYI9r9BldlKk5bNtZ57Ylu93jtuFlS90hg/V/IihhmlVQ948gUILBB1oOII6t2pOcz6q2ZBMZk=",
"Expiration": "2021-03-22T11:45:31+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAWD3ZGIYCN33P2WU44:RoleSession1",
"Arn": "arn:aws:sts::420624090628:assumed-role/BST_To_APSdev_Developer/RoleSession1"
}
}

@ncw, Command:
aws sts assume-role --role-arn arn:aws:iam::420624090628:role/BST_To_APSdev_Developer --role-session-name "RoleSession1" --profile aps

I think you need to put the session_token in also with this type of temporary config.

https://rclone.org/s3/#s3-session-token

can you tell how to add session -token in config file? @ncw

Find the config file with rclone config file

Edit it with your fave text editor.

Add the line session_token = XXXX to the remote definition.

I added this but still getting same issue :pensive:

Did it expire your session token?

What does your config look like now?

Please post the command you run and the actual error message with -vv - thanks!

current expiration is "2021-03-23T03:43:15+00:00"

full log:

2021/03/23 08:16:51 DEBUG : rclone: Version "v1.51.0" starting with parameters ["rclone" "lsd" "s3:" "-vv"]
2021/03/23 08:16:51 DEBUG : Using config file from "C:\Users\HP\.config\rclone\rclone.conf"
2021/03/23 08:16:52 ERROR : : error listing: AccessDenied: Access Denied
status code: 403, request id: BR4QRTHJAAQGP6FJ, host id: JGWF82OL4N9sC0xs9saUB+bxt2rd/QOTn91K7zkF9jrPodpWzFcnoOGD3H9WVYFD05k9B/sgel0=
2021/03/23 08:16:52 Failed to lsd with 2 errors: last error was: AccessDenied: Access Denied
status code: 403, request id: BR4QRTHJAAQGP6FJ, host id: JGWF82OL4N9sC0xs9saUB+bxt2rd/QOTn91K7zkF9jrPodpWzFcnoOGD3H9WVYFD05k9B/sgel0=

Do you have any blog to use IAM role with rclone?, if you have pls send it here.

Thank you very much @ncw , now is working fine, issue was region :slight_smile:

Glad you made it work - I was running out of things to try :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.