We're familiar with the use of --s3-profile for the typical use case of rclone assuming a role using existing AWS config
file. Our current use case, which we thought was supported, is more complex -
"Access an AWS bucket using an assumed role without any file-based configuration"
It will be extremely useful in terms of scripting transfers using scripts shared within a team, as it eliminates the need for file based configuration.
The ideal case doesn't even require an RClone config (illustrated below), but we'd be delighted with just a way to specify and drive the role assumption without a named profile, driven entirely by environment variables.
Stating the obvious, the access and secret keys are easy in ENV ... the role to assume without a named profile not so much!
We have a script we think "ought" to work, but it fails with a 403, and the cloudtrails in both the account with the "hard" aws creds and the target account with the to-be-assumed role show no requests, rejected or otherwise.
The failing script (sanitized):
#!/bin/bash
# Set AWS credentials
export AWS_ACCESS_KEY_ID=SomeAWSAccessKeyWithAssumeRolePerms
export AWS_SECRET_ACCESS_KEY=TheCorrespondingSecretKey
# Set role to assume
export AWS_ROLE_ARN=TheFullyQualifiedARNofAssumableRoleWithS3Perms
export AWS_ROLE_SESSION_NAME=my-rclone-session
# Configure rclone
export RCLONE_CONFIG_MYREMOTE_TYPE=s3
export RCLONE_CONFIG_MYREMOTE_PROVIDER=AWS
export RCLONE_CONFIG_MYREMOTE_ENV_AUTH=true
export RCLONE_CONFIG_MYREMOTE_ASSUME_ROLE_ARN=$AWS_ROLE_ARN
# Run rclone command
rclone ls myremote:BucketNameWithoutAnyProtocol -vv
Our rclone version is:
rclone v1.62.2-DEV
- os/version: centos 7.9.2009 (64 bit)
- os/kernel: 3.10.0-1160.119.1.el7.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.18
- go/linking: dynamic
- go/tags: none
And the failing result with -vv in place is:
$ vi testRcloneNoConfig.sh
[pattcornerri@irbdev12 no-commit]$ ./testRcloneNoConfig.sh
2024/10/09 10:13:50 DEBUG : rclone: Version "v1.62.2-DEV" starting with parameters ["rclone" "--config" "/dev/null" "ls" "BucketNameWithoutAnyProtocol" "-vv"]
2024/10/09 10:13:50 DEBUG : Creating backend with remote "myremote:x20220908-rpc-1"
2024/10/09 10:13:50 DEBUG : Using config file from ""
2024/10/09 10:13:50 DEBUG : Setting type="s3" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_TYPE
2024/10/09 10:13:50 DEBUG : Setting provider="AWS" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_PROVIDER
2024/10/09 10:13:50 DEBUG : Setting env_auth="true" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_ENV_AUTH
2024/10/09 10:13:50 DEBUG : myremote: detected overridden config - adding "{cInaD}" suffix to name
2024/10/09 10:13:50 DEBUG : Setting provider="AWS" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_PROVIDER
2024/10/09 10:13:50 DEBUG : Setting env_auth="true" for "myremote" from environment variable RCLONE_CONFIG_MYREMOTE_ENV_AUTH
2024/10/09 10:13:50 DEBUG : fs cache: renaming cache item "myremote:x20220908-rpc-1" to be canonical "myremote{cInaD}:BucketNameWithoutAnyProtocol"
2024/10/09 10:13:50 DEBUG : 4 go routines active
2024/10/09 10:13:50 Failed to ls: AccessDenied: Access Denied
status code: 403, request id: XXX, host id: YYY
We're not attached to this specific method, just looking for some way to use rclone with an assumed role but without the AWS config files/named profile