Unable to connect to s3 using --s3--profile with role_arn

What is the problem you are having with rclone?

We were using rclone v1.53.3 and trying to upgrade to latest version v1.55.1. After upgrade, we realized that below feature is not working, which was working in v1.53.3.

When trying to access s3 bucket using --s3-profile option and corresponding AWS profile was configured with role_arn, getting AccessDenied error, whereas its working without any issues when the AWS profile was configured with aws_access_key_id and aws_secret_access_key.

What is your rclone version (output from rclone version)

rclone v1.55.1

  • os/type: linux
  • os/arch: amd64
  • go/version: go1.16.3
  • go/linking: static
  • go/tags: none

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Amazon Linux 2

Which cloud storage system are you using? (eg Google Drive)

S3

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone ls s3://test-logs/2021-07-13/ --s3-profile testlogs

The rclone config contents with secrets removed.

config from ~/.aws/credentials file

[testlogs]
role_arn = arn:aws:iam::00000000000:role/test-role
source_profile = default

A log from the command with the -vv flag

2021/07/14 14:13:23 DEBUG : Using config file from "/home/ec2-user/.config/rclone/rclone.conf"
2021/07/14 14:13:23 DEBUG : rclone: Version "v1.55.1" starting with parameters ["rclone" "ls" "s3://test-logs/2021-07-13/" "--s3-profile" "testlogs" "-vv"]
2021/07/14 14:13:23 DEBUG : Creating backend with remote "s3://test-logs/2021-07-13/"
2021/07/14 14:13:23 DEBUG : s3: detected overridden config - adding "{jb+DA}" suffix to name
2021/07/14 14:13:24 DEBUG : fs cache: renaming cache item "s3://test-logs/2021-07-13/" to be canonical "s3{jb+DA}:test-logs/2021-07-13"
2021/07/14 14:13:24 DEBUG : 4 go routines active
2021/07/14 14:13:24 Failed to ls: AccessDenied: Access Denied
        status code: 403, request id: 8TVCK7CVEXPF781T, host id: wEo+4KMswde6lETjLs6QnEbRpRF/+8dyhsRxBnTo3nNXgYRrJ91BDkrmuBOuid8vy0sv5UYjY5s=

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.