Merge pull request #615 from iterate-ch/issue/349-s3-microsoft-entra

Add tutorial to connect to S3 with Microsoft Entra ID configured as i…

Author: dkocher

protocols/profiles/aws_oidc.md

@@ -8,10 +8,23 @@ Custom connection profile using OpenID Connect provider and AssumeRoleWithWebIde
 * Mountain Duck [4.15.0](https://mountainduck.io/changelog/) or later required
 :::
 
-Connection [profiles](index.md#technical-file-format-specification) must include the `OAuth Authorization Url`, `OAuth Token Url`, `OAuth Redirect Url` and `Scopes` of the OpenID Connect (OIDC) identity provider and the `STS Endpoint` for the STS API endpoint which defaults to `https://sts.amazonaws.com/`. Set the property `s3.assumerole.rolearn` in the connection profile to the Role ARN configured in AWS. Set it to `s3.assumerole.rolearn=` for a prompt to enter on login.
+Connection [profiles](index.md#technical-file-format-specification) require the `Role Configurable` key to be set to `true` to enable authentication with temporary tokens from STS API. and include the `OAuth Authorization Url`, `OAuth Token Url`, `OAuth Redirect Url` and `Scopes` of the OpenID Connect (OIDC) identity provider and the `STS Endpoint` for the STS API endpoint which defaults to `https://sts.amazonaws.com/`. Set the property `role_arn` in the connection profile to the Role ARN configured in AWS to omit a prompt on login.
+
 
 ## Prerequisites
 
+:::{admonition} Microsoft Entra ID Tutorial
+:class: tip
+
+Follow the [step-by-step instructions](../../tutorials/s3_microsoft_entra_oidc.md) to configure Microsoft Entra ID (formerly Azure AD) as a custom OIDC (OpenID Connect) identity provider (IdP) for S3.
+:::
+
+:::{admonition} Google Cloud Tutorial
+:class: tip
+
+Follow the [step-by-step instructions](../../tutorials/s3_google_oidc.md) to configure Google as a custom OIDC (OpenID Connect) identity provider (IdP) for S3.
+:::
+
 - Register the OAuth Client ID with your identity provider (IdP)
 - Configure the OIDC provider in AWS IAM or compatible implementation like [MinIO Security Token Service (STS)](https://min.io/docs/minio/linux/developers/security-token-service.html)
 - Make sure to restrict access by configuring the role and trust policy using rules referencing the claims available in the JWT token from the identity provider that is passed to `AssumeRoleWithWebIdentity` STS API.
@@ -53,26 +66,28 @@ Refer to [Sample connection profiles for S3 and OpenID Connect Federation](https
         <false/>
         <key>Token Configurable</key>
         <false/>
+        <key>Role Configurable</key>
+        <true/>
         <key>Username Placeholder</key>
         <string>Username</string>
         <key>STS Endpoint</key>
         <string>https://sts.amazonaws.com/</string>
         <key>Properties</key>
         <dict>
-            <key>s3.assumerole.rolearn</key>
+            <key>role_arn</key>
             <string>arn:aws:iam::…</string>
         </dict>
     </dict>
 </plist>
 ```
 
 ::::{tip}
-Alternatively set the `s3.assumerole.rolearn` per user in a `.duck` [bookmark](../../tutorials/hidden_properties.md#in-duck-bookmark-files) file.
+Alternatively set the `role_arn` per user in a `.duck` [bookmark](../../tutorials/hidden_properties.md#in-duck-bookmark-files) file.
 
 ```xml
 <key>Custom</key>
 <dict>
-    <key>s3.assumerole.rolearn</key>
+    <key>role_arn</key>
     <string>arn:aws:iam::…</string>
 </dict>
 ```

protocols/profiles/index.md

@@ -75,6 +75,7 @@ The value of `Vendor` must be unique among all installed connection profiles.
 - `Anonymous Configurable` Boolean if anonymous access is configurable.
 - `Path Configurable` Boolean if default path is configurable.
 - `Certificate Configurable` Boolean if client certificate is configurable.
+- `Role Configurable`. Boolean if role is configurable. Typically an ARN referencing the AWS IAM role to assume using AWS STS API.
 - `Region` Location constraint for [OpenStack Swift](../openstack/index.md) and [S3](../s3/index.md) profiles.
   :::{admonition} S3
   :class: tip
@@ -88,7 +89,7 @@ The value of `Vendor` must be unique among all installed connection profiles.
   * A profile can define an empty value for `OAuth Client Secret`. The OAuth authorization flow will then use no client secret in client parameters to authenticate with the server.
   * A profile can omit the `OAuth Client Secret` to prompt the user for manual input when connecting.
 - `Authorization` Set to `AWS2` to default to AWS2 signature authentication for S3. Default is `AWS4HMACSHA256`.
-- `Properties` List of custom protocol-specific properties. You can set [hidden configuration options](../../cyberduck/preferences.md#hidden-configuration-options) for a specific connection profile. Example usages can be found in:
+- `Properties` Dictionary of custom protocol-specific properties. You can set [hidden configuration options](../../cyberduck/preferences.md#hidden-configuration-options) for a specific connection profile. Example usages can be found in:
   * [FTP (Compatibility Mode).cyberduckprofile](https://github.com/iterate-ch/profiles/blob/master/FTP%20(Compatibility%20Mode).cyberduckprofile)
   * [FTP-SSL (Compatibility Mode).cyberduckprofile](https://github.com/iterate-ch/profiles/blob/master/FTP-SSL%20(Compatibility%20Mode).cyberduckprofile)
   * [S3 (Deprecated path style requests).cyberduckprofile](https://github.com/iterate-ch/profiles/blob/master/S3%20(Deprecated%20path%20style%20requests).cyberduckprofile)
@@ -186,5 +187,5 @@ Create a *multi-TIFF* containing the needed icon sizes:
 
 ### S3 and OpenID Connect Federation 
 
-Customization of connection profiles using OpenID Connect provider and AssumeRoleWithWebIdentity STS API
+Customization of connection profiles using OpenID Connect provider and AssumeRoleWithWebIdentity STS API.
 - [Sample connection profiles for S3 and OpenID Connect Federation](aws_oidc.md)

protocols/s3/index.md

@@ -194,6 +194,12 @@ with the identity provider in _Identity and Access Management (IAM)_.
 - {download}`Download<https://profiles.cyberduck.io/AWS%20S3%2BSTS%20%26%20Azure%20Active%20Directory%20%28Azure%20AD%29%20OpenID%20Connect.cyberduckprofile>`
   the *AWS S3+STS &amp; Azure Active Directory (Azure AD) profile* for preconfigured settings
 
+:::{admonition} Tutorial
+:class: tip
+
+Follow the [step-by-step instructions](../../tutorials/s3_microsoft_entra_oidc.md) to configure Microsoft Entra ID as an OpenID Connect (OIDC) Identity Provider in AWS IAM and authenticate with S3.
+:::
+
 ##### S3 with Google OpenID Connect
 
 - {download}`Download<https://profiles.cyberduck.io/AWS%20S3%2BSTS%20%26%20Google%20OpenID%20Connect.cyberduckprofile>`

tutorials/_images/S3_Client_Id_Prompt.png

@@ -78,7 +78,7 @@ Workaround to register your own Custom OAuth 2.0 Client ID for [Google Cloud Sto
     :width: 800px
     :::
 
-10. Select _Desktop app_ for _Application type_ and enter any _Name_. Select _Create_ to continue.
+10. Select _iOS_ for _Application type_ and enter any _Name_. Select _Create_ to continue.
 
      :::{image} _images/Application_Type_Client_ID.png
      :alt: Application Type for Credentials
@@ -97,7 +97,7 @@ Workaround to register your own Custom OAuth 2.0 Client ID for [Google Cloud Sto
    - {download}`Google Drive Custom OAuth Client ID.cyberduckprofile<../protocols/profiles/_static/Google Drive Custom OAuth Client ID.cyberduckprofile>`
    - {download}`Google Storage Custom OAuth Client ID.cyberduckprofile<../protocols/profiles/_static/Google Storage Custom OAuth Client ID.cyberduckprofile>`
 
-2. Use the _OAuth Client ID_ created to edit the `OAuth Client ID`, `OAuth Redirect Url`, and optionally the `OAuth Client Secret` in the template connection profile, leaving other keys unchanged.
+2. Use the _OAuth Client ID_ created to edit the `OAuth Client ID` and `OAuth Redirect Url` in the template connection profile, leaving other keys unchanged.
 
     :::::{tabs}
     ::::{tab} Configuration
@@ -111,8 +111,6 @@ Workaround to register your own Custom OAuth 2.0 Client ID for [Google Cloud Sto
             <string>com.googleusercontent.apps.NUMBER-ID:oauth</string>
             <key>OAuth Client ID</key>
             <string>NUMBER-ID.apps.googleusercontent.com</string>
-           <key>OAuth Client Secret</key>
-           <string>Client secret</string>
         </dict>
     </plist>
     ```
@@ -149,8 +147,6 @@ Workaround to register your own Custom OAuth 2.0 Client ID for [Google Cloud Sto
             <string>com.googleusercontent.apps.293168482058-dvjk8lh6u6n43kio156uerkqcgjl2i5k:oauth</string>
             <key>OAuth Client ID</key>
             <string>293168482058-dvjk8lh6u6n43kio156uerkqcgjl2i5k.apps.googleusercontent.com</string>
-            <key>OAuth Client Secret</key>
-            <string>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</string>      
         </dict>
     </plist>
     ```

tutorials/_images/S3_Role_ARN_Prompt.png

@@ -8,6 +8,8 @@ hidden_properties
 custom_oauth_client_id
 s3_iam_role_mfa
 s3_iam_getsessiontoken_bucketpolicy_mfa
+s3_microsoft_entra_oidc
+s3_google_oidc
 iam
 vault_localdisk
 sftp_publickeyauth
@@ -31,6 +33,12 @@ Require user to use MFA when connecting to S3 by connecting with IAM role assume
 ## [Connect to S3 with temporary session token and MFA input](s3_iam_role_mfa.md)
 Require user to use MFA when connecting to S3 bucket with policy requiring MFA by requesting temporary credentials obtained from IAM AWS Security Token Service (STS).
 
+## [Authenticate with Microsoft Entra ID to connect to S3](s3_microsoft_entra_oidc.md)
+Use Microsoft Entra ID to authenticate with S3 by configuring as an OpenID Connect (OIDC) Identity Provider in AWS IAM.
+
+## [Authenticate with Google to connect to S3](s3_google_oidc.md)
+Use Google to authenticate with S3 by configuring as an OpenID Connect (OIDC) Identity Provider in AWS IAM.
+
 ## [AWS Identity & Access Management (IAM)](iam.md)
 IAM allows you to create credentials for third parties accessing your S3 account with permission constraints.
 

tutorials/custom_oauth_client_id.md

@@ -0,0 +1,126 @@
+Connect to S3 authenticating with Google Cloud
+====
+
+> Use Google Cloud to authenticate with S3 by configuring as an OpenID Connect (OIDC) Identity Provider in AWS IAM.
+
+
+:::{tip}
+Refer to [Custom connection profile using OpenID Connect provider and AssumeRoleWithWebIdentity STS API](../protocols/profiles/aws_oidc.md) for custom configuration of connection profiles using OIDC web identity federation to connect to AWS S3.
+:::
+
+:::{admonition} Requirements
+:class: warning
+* Cyberduck [9.3.0](https://cyberduck.io/changelog/) or later required
+* Mountain Duck [5.1.0](https://mountainduck.io/changelog/) or later required
+  :::
+
+## Configuration in Google Cloud Console
+
+Create an OAuth application in the [Google Cloud Console](https://console.cloud.google.com/auth/clients) and configure it as an OIDC Identity Provider.
+
+:::{admonition} Setup a Custom OAuth Client ID Tutorial
+:class: tip
+
+Follow the [step-by-step instructions](custom_oauth_client_id.md) to Setup a Custom OAuth Client ID for Google.
+:::
+
+
+1. Navigate to _Solutions → All products → Management → Google Auth Platform → Clients_ in the [Google Cloud Console](https://console.cloud.google.com/auth/clients) and choose _Create client → OAuth client ID_.
+2. Select _iOS_ as the application type.
+
+   :::{important}
+   Other types require a OAuth Client Secret and do not allow for a supported redirect URI.
+   :::
+
+3. Enter `io.cyberduck` for use with Cyberduck or `io.mountainduck` to use with Mountain Duck for the _Bundle ID_.
+4. Copy the OAuth Client ID from the credentials screen.
+
+
+## Configuration in AWS IAM
+
+### Create an OIDC identity provider
+
+:::{tip}
+Google is already built-in to AWS as a trusted OIDC identity provider. Instead of using a ARN you can reference the built-in Google IdP in a role with `accounts.google.com`.
+:::
+
+### Create a role
+
+Assign a role to the identity provider created in the previous step with permissions to access S3.
+
+1. In AWS [IAM console](https://console.aws.amazon.com/iam/), choose _Create Role_ in _Roles_.
+2. Select _Web identity_ as the trusted entity type.
+3. Select _Google_ as the _Identity Provider_.
+4. Enter the OAuth Client ID from the application registration in Google Cloud Console for _Audience_.
+5. The resulting trust policy will look similar to the following:
+
+    ```json
+   {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "accounts.google.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "accounts.google.com:aud": "<OAuth Client ID>.apps.googleusercontent.com"
+                }
+            }
+        }
+    ]
+   }
+    ```
+
+6. In the next step attach a permission policy to the role such as the managed policy `AmazonS3FullAccess`.
+7. Copy the Role ARN from the _Summary_ tab.
+
+
+### Create a bookmark in Cyberduck or Mountain Duck
+
+1. Open _Preferences… → Profiles_ in Cyberduck or Mountain Duck.
+2. Enable the *AWS S3 (Google OpenID Connect)* connection profile.
+3. Add a new [Bookmark](../cyberduck/bookmarks.md) in Cyberduck or Mountain Duck and choose *AWS S3 (Google)* in the protocol dropdown.
+4. Enter the OAuth Client ID from the application registration in Google Cloud Console for _OAuth Client ID_ when prompted. It will be saved in the bookmark as a [custom property](hidden_properties.md#in-duck-bookmark-files).
+
+   :::{image} _images/S3_Client_Id_Prompt.png
+   :alt: OAuth Client ID Prompt
+   :width: 400px
+   :::
+
+   :::{tip}
+   The _OAuth Client ID_ is the same as the _OAuth Client ID_ from the application registration in Google Cloud Console with the `.apps.googleusercontent.com` suffix.
+   :::
+
+   :::{note}
+   Alternatively set `OAuth Client ID` in a [custom connection profile](../protocols/profiles/aws_oidc.md).
+   :::
+
+5. Enter the Role ARN from the previous step when prompted. It will be saved in the bookmark as a [custom property](hidden_properties.md#in-duck-bookmark-files).
+
+   :::{note}
+   Alternatively set `role_arn` as a custom property in a [custom connection profile](../protocols/profiles/aws_oidc.md).
+   :::
+
+   :::{image} _images/S3_Role_ARN_Prompt.png
+   :alt: MFA Prompt
+   :width: 400px
+   :::
+
+:::{admonition} Troubleshooting
+:class: attention
+### `Not authorized to perform sts:AssumeRoleWithWebIdentity`
+Validate the _Trusted entities_ in _Trust relationships_ in the IAM console.
+
+### `Request ARN is invalid`
+The role ARN entered is not valid.
+
+### `The security token included in the request is invalid`
+Invalid client token ID. Check the OAuth Client ID in the connection profile.
+:::
+
+## References
+- [AWS Identity and Access Management → OIDC federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html)
+- [Google Identity Platform → OpenID Connect](https://developers.google.com/identity/openid-connect/openid-connect)

tutorials/index.md

@@ -0,0 +1,114 @@
+Connect to S3 authenticating with Microsoft Entra ID
+====
+
+> Use Microsoft Entra ID to authenticate with S3 by configuring as an OpenID Connect (OIDC) Identity Provider in AWS IAM.
+
+
+:::{tip}
+Refer to [Custom connection profile using OpenID Connect provider and AssumeRoleWithWebIdentity STS API](../protocols/profiles/aws_oidc.md) for custom configuration of connection profiles using OIDC web identity federation to connect to AWS S3.
+:::
+
+:::{admonition} Requirements
+:class: warning
+* Cyberduck [9.3.0](https://cyberduck.io/changelog/) or later required
+* Mountain Duck [5.1.0](https://mountainduck.io/changelog/) or later required
+  :::
+
+## Configuration in Microsoft Entra ID
+
+Create an application in the [Microsoft Entra ID portal](https://entra.microsoft.com/) and configure it as an OIDC Identity Provider.
+
+1. Navigate to _Entra ID → → App registrations_ in the [Microsoft Entra ID portal](https://entra.microsoft.com/) and choose _New registration_.
+2. In _Authentication_, add a redirect URI with the value `x-cyberduck-action://oauth` to allow authentication with Cyberduck.
+3. In _Authentication_, add a redirect URI with the value `x-mountainduck-action://oauth` to allow authentication with Mountain Duck.
+4. Copy the OAuth Client ID from _Overview → Essentials → Application (client) ID_.
+
+
+## Configuration in AWS IAM
+
+### Create an OIDC identity provider
+1. In AWS [IAM console](https://console.aws.amazon.com/iam/) add a new identity provider in _Identity providers_.
+2. Configure the provider as type _OpenID Connect_ with the provider URL set to `https://login.microsoftonline.com/<TENANT-ID>/v2.0`. Replace <TENANT-ID> with your Microsoft Entra ID tenant ID. Copy the ARN for the next [step](#create-a-role).
+3. Set the _Audience_ to the Application (client) ID from Microsoft Entra.
+
+### Create a role
+
+Assign a role to the identity provider created in the previous step with permissions to access S3.
+
+1. In AWS [IAM console](https://console.aws.amazon.com/iam/) add a new role.
+2. Choose _Assign role_ followed by _Create a new role_ with a _Web identity_ trusted entity type. It should have _Identity provider_ and _Audience_ options prefilled with the ARN of the identity provider and Client ID from Microsoft Entra.
+3. The resulting trust policy will look similar to the following:
+
+    ```json
+   {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/login.microsoftonline.com/<TENANT-ID>/v2.0"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "login.microsoftonline.com/<TENANT-ID>/v2.0:aud": "<Application (client) ID>"
+                }
+            }
+        }
+    ]
+   }
+    ```
+   
+    :::{tip}
+    The `<ACCOUNT_ID>` is replaced with your AWS account ID and `<Application (client) ID>` with the OAuth Client ID of the application you created in the previous [step](#configuration-in-microsoft-entra-id). For `Federated`, the ARN of the identity provider you created in the previous step is set. For the condition `aud` use the application client ID of the application you created in the previous step.
+    :::
+
+4. In the next step attach a permission policy to the role such as the managed policy `AmazonS3FullAccess`.
+5. Copy the Role ARN from the _Summary_ tab.
+
+
+### Create a bookmark in Cyberduck or Mountain Duck
+
+1. Open _Preferences… → Profiles_ in Cyberduck or Mountain Duck.
+2. Enable the *AWS S3 (Microsoft Entra)* connection profile.
+3. Add a new [Bookmark](../cyberduck/bookmarks.md) in Cyberduck or Mountain Duck and choose *AWS S3 (Microsoft Entra)* in the protocol dropdown.
+4. Enter the Application (client) ID from the application registration in Microsoft Entra for _OAuth Client ID_ when prompted. It will be saved in the bookmark as a [custom property](hidden_properties.md#in-duck-bookmark-files).
+    
+   :::{image} _images/S3_Client_Id_Prompt.png
+   :alt: OAuth Client ID Prompt
+   :width: 400px
+   :::
+
+   :::{tip}
+   The _OAuth Client ID_ is the same as the _Application (client) ID_ from the application registration in Microsoft Entra.
+   :::
+
+   :::{note}
+   Alternatively set `OAuth Client ID` in a [custom connection profile](../protocols/profiles/aws_oidc.md).
+   :::
+
+5. Enter the Role ARN from the previous step when prompted. It will be saved in the bookmark as a [custom property](hidden_properties.md#in-duck-bookmark-files).
+
+   :::{note}
+   Alternatively set `role_arn` as a custom property in a [custom connection profile](../protocols/profiles/aws_oidc.md).
+   :::
+
+   :::{image} _images/S3_Role_ARN_Prompt.png
+   :alt: MFA Prompt
+   :width: 400px
+   :::
+
+:::{admonition} Troubleshooting
+:class: attention
+### `Not authorized to perform sts:AssumeRoleWithWebIdentity`
+Validate the _Trusted entities_ in _Trust relationships_ in the IAM console.
+
+### `Request ARN is invalid`
+The role ARN entered is not valid.
+
+### `The security token included in the request is invalid`
+Invalid client token ID. Check the OAuth Client ID in the connection profile.
+:::
+
+## References
+- [AWS Identity and Access Management → OIDC federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html)