By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to use session token in AWS S3 Rest api

0

My understanding of session token is, it is a temporary credential that you can get it using a access keys. From this page https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html#UsingTemporarySecurityCredentials

I have a session token that I attempted to use as follows

curl --location --request GET 'https://s3.amazonaws.com/' \
--header 'x-amz-security-token: <token>'

However I keep getting response as

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>AccessDenied</Code>
    <Message>No AWSAccessKey was presented.</Message>
    <RequestId>HIDDEN</RequestId>
    <HostId>HIDDEN</HostId>
</Error>

note: HIDDEN is just to mask the value.

asked a year ago3.7K views
2 Answers
0

No, the session token is not enough. You must also include an Authorization header that contains Access Key ID and the calculated signature to provide a complete authentication info to the S3 API.

profile picture
answered a year ago
profile picture
EXPERT
reviewed a year ago
  • How does AWS sdk browser client work?

  • also - if the access key is still used to sign the headers and provide the public part of the access key to the aws server - what is the need of session token?

0

also - if the access key is still used to sign the headers and provide the public part of the access key to the aws server - what is the need of session token?

Session token is required for temporary credentials (i.e., the one time access key and the secret key received from AWS STS). AWS need it to validate your credentials.

How does AWS sdk browser client work?

If you use AWS SDK instead of plain HTTP client (e.g., older curl command), you don't need to sign the credential and headers. All of the signing process will be carried internally when you call each of the SDK API.

For example, if you want to call ListBuckets API, you simple create an S3Client with your credentials and session token, and send a ListBucketsCommand with the S3Client.

const idToken = await getIdToken();
const credentials = await getCredentials(idToken);
const accessKeyId = credentials?.AccessKeyId;
const secretAccessKey = credentials?.SecretKey;
const sessionToken = credentials?.SessionToken;
const expiration = credentials?.Expiration;
const client = new S3Client({
  credentials: { accessKeyId, secretAccessKey, sessionToken, expiration },
});
const listBucketsCommand = new ListBucketsCommand({});
const { Buckets } = await client.send(listBucketsCommand);
console.log(JSON.stringify(Buckets, null, 2));
profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions