[GH-ISSUE #651] Where to put aws_session_token information #371

New issue

Closed

opened 2026-03-04 01:44:52 +03:00 by kerem · 21 comments

kerem commented 2026-03-04 01:44:52 +03:00

Owner

Copy link

Originally created by @AcidLeroy on GitHub (Sep 26, 2017).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/651

Additional Information

The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all.

• Version of s3fs being used (s3fs --version): Amazon Simple Storage Service File System V1.82(commit:f4515b5) with OpenSSL

• Version of fuse being used (pkg-config --modversion fuse): 2.9.2

• System information (uname -a): Linux 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

• Distro (cat /etc/issue): Red Hat Enterprise Linux Workstation release 7.4 (Maipo)

Details about issue

We currently use temporary credentials using aws sts, from the documentation it is not clear to me how or where I would put the aws_session_token. Without setting this, I cannot access aws s3 buckets (i.e. I have to refresh this credential each day to gain access to the s3 buckets again). Can someone please point me to where I need to set this value in s3fs? Thanks!

Originally created by @AcidLeroy on GitHub (Sep 26, 2017). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/651 #### Additional Information _The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all._ - Version of s3fs being used (s3fs --version): *Amazon Simple Storage Service File System V1.82(commit:f4515b5) with OpenSSL* - Version of fuse being used (pkg-config --modversion fuse): *2.9.2* - System information (uname -a): *Linux 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux* - Distro (cat /etc/issue): *Red Hat Enterprise Linux Workstation release 7.4 (Maipo)* #### Details about issue We currently use temporary credentials using `aws sts`, from the documentation it is not clear to me how or where I would put the `aws_session_token`. Without setting this, I cannot access aws s3 buckets (i.e. I have to refresh this credential each day to gain access to the s3 buckets again). Can someone please point me to where I need to set this value in s3fs? Thanks!

kerem closed this issue 2026-03-04 01:44:52 +03:00

kerem commented 2026-03-04 01:44:53 +03:00

Author

Owner

Copy link

@ifnull commented on GitHub (Aug 17, 2018):

Ultimately it needs to be passed in the request header as x-amz-security-token. Which seems to be set in S3fsCurl::AWSAccessToken. I attempted to add support by adding the AWS SessionToken to /etc/passwd-s3fs as a key/value pair but found that it was going to be more work that just adding it to parse_passwd_file(). I don’t really know C++ so I’m not having much luck. This would be a great feature if someone want to add it. For now, I'm going to have to use aws s3 sync and keep a cached copy of everything locally.

Using Temporary Security Credentials to Request Access to AWS Resources
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

<!-- gh-comment-id:413927740 --> @ifnull commented on GitHub (Aug 17, 2018): Ultimately it needs to be passed in the request header as `x-amz-security-token`. Which seems to be set in `S3fsCurl::AWSAccessToken`. I attempted to add support by adding the AWS `SessionToken` to `/etc/passwd-s3fs` as a key/value pair but found that it was going to be more work that just adding it to `parse_passwd_file()`. I don’t really know C++ so I’m not having much luck. This would be a great feature if someone want to add it. For now, I'm going to have to use `aws s3 sync` and keep a cached copy of everything locally. Using Temporary Security Credentials to Request Access to AWS Resources https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html

kerem commented 2026-03-04 01:44:53 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Jul 11, 2019):

Please test with -o use_session_token and reopen if this does not address your use case.

<!-- gh-comment-id:510293876 --> @gaul commented on GitHub (Jul 11, 2019): Please test with `-o use_session_token` and reopen if this does not address your use case.

kerem commented 2026-03-04 01:44:53 +03:00

Author

Owner

Copy link

@ekarmazin commented on GitHub (Jul 24, 2019):

s3fs gaves me:
fuse: unknown option `use_session_token'

<!-- gh-comment-id:514805157 --> @ekarmazin commented on GitHub (Jul 24, 2019): s3fs gaves me: fuse: unknown option `use_session_token'

kerem commented 2026-03-04 01:44:53 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Jul 24, 2019):

Which version did you test with? No release version yet supports this; you have to compile from master.

<!-- gh-comment-id:514807138 --> @gaul commented on GitHub (Jul 24, 2019): Which version did you test with? No release version yet supports this; you have to compile from master.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@ekarmazin commented on GitHub (Jul 24, 2019):

Oh ok, I've used 1.85, let me try master and get back to here.

<!-- gh-comment-id:514808801 --> @ekarmazin commented on GitHub (Jul 24, 2019): Oh ok, I've used 1.85, let me try master and get back to here.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@ekarmazin commented on GitHub (Jul 24, 2019):

s3fs built from master branch, see latest commit:

Amazon Simple Storage Service File System V1.85 (commit:80972aa) with OpenSSL
Copyright (C) 2010 Randy Rizun rrizun@gmail.com
License GPL2: GNU GPL version 2 https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

s3fs error:

[CRT] s3fs.cpp:set_s3fs_log_level(297): change debug level from [CRT] to [INF]
[INF] s3fs.cpp:set_mountpoint_attribute(4379): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755)
fuse: unknown option `use_session_token'

<!-- gh-comment-id:514816390 --> @ekarmazin commented on GitHub (Jul 24, 2019): s3fs built from master branch, see latest commit: Amazon Simple Storage Service File System V1.85 (commit:80972aa) with OpenSSL Copyright (C) 2010 Randy Rizun <rrizun@gmail.com> License GPL2: GNU GPL version 2 <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. s3fs error: [CRT] s3fs.cpp:set_s3fs_log_level(297): change debug level from [CRT] to [INF] [INF] s3fs.cpp:set_mountpoint_attribute(4379): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755) fuse: unknown option `use_session_token'

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Jul 24, 2019):

I believe use_session_token goes in $HOME/.aws/credentials.

<!-- gh-comment-id:514822521 --> @gaul commented on GitHub (Jul 24, 2019): I believe `use_session_token` goes in `$HOME/.aws/credentials`.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@ekarmazin commented on GitHub (Jul 24, 2019):

No, ~/.aws/credentials has different naming:

aws_access_key_id = KEY_GOES_HERE
aws_secret_access_key = SECRET_GOES_HERE
aws_session_token = TOKEN_GOES_HERE

I've tried to pass 'aws_session_token' in s3fs options but no luck, same error: fuse: unknown option `aws_session_token'

weird, but I see that feature in cpp listing:

if(profile != aws_profile){
return EXIT_FAILURE;
}
if (session_token.empty()) {
if (is_use_session_token) {
S3FS_PRN_EXIT("AWS session token was expected but wasn't provided in aws/credentials file for profile: %s.", aws_profile.c_str());
return EXIT_FAILURE;
}

But I am getting an error about 'no such option' instead of missing token or something.

<!-- gh-comment-id:514824101 --> @ekarmazin commented on GitHub (Jul 24, 2019): No, ~/.aws/credentials has different naming: aws_access_key_id = KEY_GOES_HERE aws_secret_access_key = SECRET_GOES_HERE aws_session_token = TOKEN_GOES_HERE I've tried to pass 'aws_session_token' in s3fs options but no luck, same error: fuse: unknown option `aws_session_token' weird, but I see that feature in cpp listing: if(profile != aws_profile){ return EXIT_FAILURE; } if (session_token.empty()) { if (is_use_session_token) { S3FS_PRN_EXIT("AWS session token was expected but wasn't provided in aws/credentials file for profile: %s.", aws_profile.c_str()); return EXIT_FAILURE; } But I am getting an error about 'no such option' instead of missing token or something.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Jul 24, 2019):

Sorry, $HOME/.aws/credentials should contain aws_session_token and the command-line flags should contain -o use_session_token.

<!-- gh-comment-id:514827401 --> @gaul commented on GitHub (Jul 24, 2019): Sorry, `$HOME/.aws/credentials` should contain `aws_session_token` and the command-line flags should contain `-o use_session_token`.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@ekarmazin commented on GitHub (Jul 24, 2019):

Thats what I did, and got error not about incorrect or missing token but:

fuse: unknown option `use_session_token'

while specifying cli flag for s3fs built form master branch.

<!-- gh-comment-id:514829976 --> @ekarmazin commented on GitHub (Jul 24, 2019): Thats what I did, and got error not about incorrect or missing token but: fuse: unknown option `use_session_token' while specifying cli flag for s3fs built form master branch.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Jul 24, 2019):

How exactly do you involve s3fs? I see the following:

$ src/s3fs BUCKET PATH -f -o use_session_token
s3fs: AWS session token was expected but wasn't provided in aws/credentials file for profile: default.
s3fs: could not determine how to establish security credentials.

<!-- gh-comment-id:514830481 --> @gaul commented on GitHub (Jul 24, 2019): How exactly do you involve s3fs? I see the following: ``` $ src/s3fs BUCKET PATH -f -o use_session_token s3fs: AWS session token was expected but wasn't provided in aws/credentials file for profile: default. s3fs: could not determine how to establish security credentials. ```

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@juliogonzalez commented on GitHub (Jul 24, 2019):

Wild suggestion:

@ekarmazin keep in mind that if you are using /etc/fstab and you have both 1.85 and master build installed at the same time, most probably the system is using s3fs 1.85 and not master.

<!-- gh-comment-id:514833211 --> @juliogonzalez commented on GitHub (Jul 24, 2019): Wild suggestion: @ekarmazin keep in mind that if you are using `/etc/fstab` and you have both 1.85 and master build installed at the same time, most probably the system is using s3fs 1.85 and not master.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@ekarmazin commented on GitHub (Jul 24, 2019):

I am using docker containers and each build is a fresh one, so no version overlapping.

Here is my configs and how I run s3fs (git clone and make were done at /tmp):

/tmp/s3fs-fuse/src/s3fs MY_BUCKET_HERE /mnt -o use_session_token -o allow_other -o use_cache=/tmp -o profile="PROFILE_FORM_AWS_CREDS" -o use_path_request_style -o dbglevel=info -f -o curldbg

cat ~/.aws/credentials
[ACCOUNT-PROFILENAME]
aws_access_key_id     = ASOMEKEYHERE723B
aws_secret_access_key = wxENSOMESECURITYKEYHEREhw67dQW
aws_session_token     = FQoGLONGLONGTOKENHEREhTkFYNEYt

See commit #, the latest from master, so it was build from master branch:

s3fs --version
Amazon Simple Storage Service File System V1.85 (commit:80972aa) with OpenSSL
Copyright (C) 2010 Randy Rizun <rrizun@gmail.com>
License GPL2: GNU GPL version 2 <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Error I am getting:

[CRT] s3fs.cpp:set_s3fs_log_level(297): change debug level from [CRT] to [INF]
[INF]     s3fs.cpp:set_mountpoint_attribute(4379): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755)
fuse: unknown option `use_session_token'

Point me, what I am doing wrong. Here is how I compiled from src:

cd /tmp && \
git clone https://github.com/s3fs-fuse/s3fs-fuse.git && \
cd s3fs-fuse && \
./autogen.sh && \
./configure  && \
make && \
make install

fuse version: 2.9.x

<!-- gh-comment-id:514837000 --> @ekarmazin commented on GitHub (Jul 24, 2019): I am using docker containers and each build is a fresh one, so no version overlapping. **Here is my configs and how I run s3fs (git clone and make were done at /tmp):** /tmp/s3fs-fuse/src/s3fs MY_BUCKET_HERE /mnt -o use_session_token -o allow_other -o use_cache=/tmp -o profile="PROFILE_FORM_AWS_CREDS" -o use_path_request_style -o dbglevel=info -f -o curldbg ``` cat ~/.aws/credentials [ACCOUNT-PROFILENAME] aws_access_key_id = ASOMEKEYHERE723B aws_secret_access_key = wxENSOMESECURITYKEYHEREhw67dQW aws_session_token = FQoGLONGLONGTOKENHEREhTkFYNEYt ``` **See commit #, the latest from master, so it was build from master branch:** ``` s3fs --version Amazon Simple Storage Service File System V1.85 (commit:80972aa) with OpenSSL Copyright (C) 2010 Randy Rizun <rrizun@gmail.com> License GPL2: GNU GPL version 2 <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. ``` **Error I am getting:** ``` [CRT] s3fs.cpp:set_s3fs_log_level(297): change debug level from [CRT] to [INF] [INF] s3fs.cpp:set_mountpoint_attribute(4379): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755) fuse: unknown option `use_session_token' ``` **Point me, what I am doing wrong. Here is how I compiled from src:** cd /tmp && \ git clone https://github.com/s3fs-fuse/s3fs-fuse.git && \ cd s3fs-fuse && \ ./autogen.sh && \ ./configure && \ make && \ make install fuse version: 2.9.x

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@saurabhdas commented on GitHub (Nov 27, 2019):

Can this issue be re-opened? I'm facing the same problem: I get:

fuse: unknown option `use_session_token'

when I invoke s3fs with -o use_session_token.

<!-- gh-comment-id:559009109 --> @saurabhdas commented on GitHub (Nov 27, 2019): Can this issue be re-opened? I'm facing the same problem: I get: ```fuse: unknown option `use_session_token'``` when I invoke s3fs with `-o use_session_token`.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Nov 27, 2019):

Which version of s3fs do you use? This option only exists in master, not 1.85.

<!-- gh-comment-id:559071719 --> @gaul commented on GitHub (Nov 27, 2019): Which version of s3fs do you use? This option only exists in master, not 1.85.

kerem commented 2026-03-04 01:44:54 +03:00

Author

Owner

Copy link

@saurabhdas commented on GitHub (Dec 3, 2019):

For the s3fs installation, I am following the same procedure as @ekarmazin – compiling from source.

I later discovered that doing this works:

export AWSACCESSKEYID=${AWS_ACCESS_KEY_ID}
export AWSSECRETACCESSKEY=${AWS_SECRET_ACCESS_KEY}
export AWSSESSIONTOKEN=${AWS_SESSION_TOKEN}
s3fs -o retries=20 $S3_BUCKET $MOUNT_PATH

The -o use_session_token option causes a failure as documented above. Perhaps this is correct/intentional, however something in the documentation led me to believe that I needed to use -o use_session_token to enable this behaviour.

<!-- gh-comment-id:561111268 --> @saurabhdas commented on GitHub (Dec 3, 2019): For the s3fs installation, I am following the same procedure as @ekarmazin – compiling from source. I later discovered that doing this works: ``` export AWSACCESSKEYID=${AWS_ACCESS_KEY_ID} export AWSSECRETACCESSKEY=${AWS_SECRET_ACCESS_KEY} export AWSSESSIONTOKEN=${AWS_SESSION_TOKEN} s3fs -o retries=20 $S3_BUCKET $MOUNT_PATH ``` The `-o use_session_token` option causes a failure as documented above. Perhaps this is correct/intentional, however something in the documentation led me to believe that I needed to use `-o use_session_token` to enable this behaviour.

kerem commented 2026-03-04 01:44:55 +03:00

Author

Owner

Copy link

@wwhurley commented on GitHub (Jan 15, 2020):

I'm having the same issue. I'm pulling master from the repo, using Amazon Simple Storage Service File System V1.85 (commit:e0712f4) with OpenSSL with Fuse 2.9.7 and when running the command s3fs [BUCKET]:[PATH] [MOUNT] -f -o nonempty -o use_session_token I'm getting the error fuse: unknown option use_session_token'`

<!-- gh-comment-id:574879361 --> @wwhurley commented on GitHub (Jan 15, 2020): I'm having the same issue. I'm pulling master from the repo, using `Amazon Simple Storage Service File System V1.85 (commit:e0712f4) with OpenSSL` with Fuse 2.9.7 and when running the command `s3fs [BUCKET]:[PATH] [MOUNT] -f -o nonempty -o use_session_token` I'm getting the error `fuse: unknown option `use_session_token'`

kerem commented 2026-03-04 01:44:55 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Sep 10, 2020):

Could someone test with the latest master which includes a flag parsing fix?

<!-- gh-comment-id:690778787 --> @gaul commented on GitHub (Sep 10, 2020): Could someone test with the latest master which includes a flag parsing fix?

kerem commented 2026-03-04 01:44:55 +03:00

Author

Owner

Copy link

@llitz commented on GitHub (Sep 16, 2020):

Working fine for me with c58c91f

<!-- gh-comment-id:693719781 --> @llitz commented on GitHub (Sep 16, 2020): Working fine for me with c58c91f

kerem commented 2026-03-04 01:44:55 +03:00

Author

Owner

Copy link

@tiilikainen commented on GitHub (Oct 14, 2020):

Still does not work for me. I'm using the brew install version which bills itself as 1.87 with FUSE 2.9.7. However, --version displays commit:unknown.

<!-- gh-comment-id:708701432 --> @tiilikainen commented on GitHub (Oct 14, 2020): Still does not work for me. I'm using the `brew install` version which bills itself as 1.87 with FUSE 2.9.7. However, `--version` displays `commit:unknown`.

kerem commented 2026-03-04 01:44:55 +03:00

Author

Owner

Copy link

@gaul commented on GitHub (Oct 14, 2020):

@tiilikainen You will have to compile from master until 1.88 is released.

<!-- gh-comment-id:708705074 --> @gaul commented on GitHub (Oct 14, 2020): @tiilikainen You will have to compile from master until 1.88 is released.

kerem referenced this issue 2026-03-04 01:54:11 +03:00

[PR #371] [MERGED] Always set stats cache for opened file #1484

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.97

v1.96

v1.95

v1.94

v1.93

v1.92

v1.91

v1.90

v1.89

v1.88

v1.87

v1.86

v1.85

v1.84

v1.83

v1.82

v1.81

v1.80

v1.79

v1.78

Pre-v1.78

v1.77

v1.76

v1.75

v1.74

Labels

Clear labels   

bug

  

bug

  

dataloss

  

duplicate

  

enhancement

  

feature request

  

help wanted

  

invalid

  

need info

  

performance

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

testing

No labels

bug

bug

dataloss

duplicate

enhancement

feature request

help wanted

invalid

need info

performance

pull-request

question

question

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/s3fs-fuse#371

No description provided.