Using Cyberduck to connect to a Craft Cloud AWS S3 bucket
Craft Cloud provides asset storage through AWS S3 with file level access available through temporary S3 credentials and a session token which lasts for an hour. Unlike using a client ID and secret key the authentication method is a bit different. Here’s how you can use Cyberduck to connect to an Amazon S3 bucket with these temporary credentials.
You will first need to use a different S3 profile to the default provided as the default S3 profile won’t work with session tokens.
Enabling the AWS Command Line Interface profile
In Cyberduck go to Edit > Preferences > Profiles and enable “S3 (Credentials from AWS Command Line Interface)”.
Tick the profile to enable it for use as a connection.
Note: If you see other documentation/guides mentioning “S3 (Credentials from AWS Security Token Service)” this is an older reference to a previous profile, which the AWS Command Line Interface profile has replaced.
Getting your AWS S3 credentials
Under Craft Cloud, you can get your temporary AWS S3 credentials by going to console.craftcms.com, selecting the Craft Cloud project, select the environment required, then go to: Access > Asset Storage
Generate your credentials using the button, you will want to use the credentials for S3-Compatiable clients, rather than the AWS CLI credentials. These credentials have a lifespan of 1 hour.
Cyberduck uses the .aws/credentials file, to maintain profiles under the Command Line Interface profile option.
If you don’t have a .aws/crendentials file. You can create it at the following path:
- Windows: %USERPROFILE%\.aws\credentials
- MacOS: ~/.aws/credentials
From the Craft Cloud credentials page, find the credentials section and add the contents into your credentials file. It should be in the format of:
[example-profile]
aws_access_key_id = example_access_key_id
aws_secret_access_key = example_secret_access_key
aws_session_token = example_session_token
region = eu-central-1Make sure region matches your S3 bucket location too.
Connecting to your S3 bucket
Now it is time to setup a connection to your S3 bucket. Select Open Connection.
- Server: The Craft Cloud S3 region e.g. s3.eu-central-1.amazonaws.com.
- Profile name: The profile handle set in .aws/credentials.
- Path: You should set this to the UUID of your asset storage bucket to prevent permissions errors.
For path, you can find the UUID of your S3 bucket by looking at the endpoint value provided by Craft Cloud on the Asset Storage page e.g. https://{uuid}.s3.eu-central-1.amazonaws.com.
If you have multiple environments under a project, you will potentially see multiple folders under the bucket. If you’d like to view just the specific environments storage, on the path value, you can append the CRAFT_CLOUD_ENVIRONMENT_ID. You can find this under Variables > System Variables
Asset storage on Craft Cloud is under a single AWS S3 bucket, but separates each environments asset storage by the UUID value of the enviroment as a folder.
With the connection setup, you now add a bookmark in Cyberduck by going to Action > New Bookmark.
Note: Your AWS S3 credentials are only valid for 1 hour, so you will need to replace the profile information in .aws/credentials when they expire, you can just get new credentials from the Craft Console dashboard.
For a purely command line approach, you can use the AWS CLI with the s3 sync command, which is often quicker for non-interactive syncing for both local to remote or remote to local.
