Environment
- Cyberduck 9.5.0
- macOS 26.5.1
- Protocol: S3 (Credentials from AWS Command Line Interface)
Description
When using S3 (Credentials from AWS Command Line Interface) on macOS, Cyberduck creates a Session Token entry in the macOS Keychain.
Once this Keychain entry exists, reconnecting with the same bookmark consistently fails.
Deleting the corresponding Keychain entry immediately restores connectivity. However, the next successful connection recreates the Keychain entry and the problem returns.
AWS CLI configuration
The AWS CLI profile (~/.aws/credentials) is configured similar to:
[default]
aws_access_key_id = ...
aws_secret_access_key = ...
region = ...
[my-profile]
role_arn = ...
source_profile = default
region = ...
The Cyberduck bookmark is configured to use the AWS CLI profile my-profile.
Steps to reproduce
- Configure an AWS CLI profile as shown above.
- Create a bookmark using S3 (Credentials from AWS Command Line Interface).
- Connect successfully.
- Disconnect.
- Connect again using the same bookmark.
Actual result
The second connection fails.
Deleting the corresponding Session Token entry from the macOS Keychain immediately restores connectivity.
After connecting again, Cyberduck recreates the Keychain entry and subsequent reconnects fail again.
Expected result
Reconnecting with the bookmark should continue to work without requiring deletion of Keychain entries.
Additional observations
There appears to be different behaviour depending on how the bookmark is created.
Creating a bookmark directly
When creating a bookmark directly (Bookmarks → New Bookmark), there is no option to disable "Add to Keychain".
The resulting bookmark recreates the Session Token Keychain entry automatically.
Using "New Connection"
When creating the connection via New Connection, the dialog contains an "Add to Keychain" checkbox.
If this option is disabled before clicking Save, the resulting bookmark works correctly and no Session Token entry is created in the Keychain.
This provides a reliable workaround.
Workaround
- Delete existing S3 bookmarks.
- Delete the corresponding Session Token entry from the macOS Keychain.
- Create the connection using New Connection.
- Disable "Add to Keychain".
- Save the connection as a bookmark.
The bookmark reconnects successfully and no problematic Keychain entry is created.
Cleanup script
Replace my-profile with the name of your AWS CLI profile.
security dump-keychain | grep -i '"acct"<blob>="Session Token (my-profile)' | \
sed -E 's/.*"acct"<blob>="([^"]+)".*/\1/' | \
while read acct; do
echo "Deleting: $acct"
security delete-internet-password -s "s3.amazonaws.com" -a "$acct"
done
Notes
The issue is fully reproducible on my system.
The trigger appears to be the creation of the Session Token entry in the macOS Keychain. As long as this entry does not exist (or "Add to Keychain" is disabled when creating the bookmark via New Connection), reconnecting works reliably.
Environment
Description
When using S3 (Credentials from AWS Command Line Interface) on macOS, Cyberduck creates a Session Token entry in the macOS Keychain.
Once this Keychain entry exists, reconnecting with the same bookmark consistently fails.
Deleting the corresponding Keychain entry immediately restores connectivity. However, the next successful connection recreates the Keychain entry and the problem returns.
AWS CLI configuration
The AWS CLI profile (~/.aws/credentials) is configured similar to:
The Cyberduck bookmark is configured to use the AWS CLI profile
my-profile.Steps to reproduce
Actual result
The second connection fails.
Deleting the corresponding Session Token entry from the macOS Keychain immediately restores connectivity.
After connecting again, Cyberduck recreates the Keychain entry and subsequent reconnects fail again.
Expected result
Reconnecting with the bookmark should continue to work without requiring deletion of Keychain entries.
Additional observations
There appears to be different behaviour depending on how the bookmark is created.
Creating a bookmark directly
When creating a bookmark directly (Bookmarks → New Bookmark), there is no option to disable "Add to Keychain".
The resulting bookmark recreates the Session Token Keychain entry automatically.
Using "New Connection"
When creating the connection via New Connection, the dialog contains an "Add to Keychain" checkbox.
If this option is disabled before clicking Save, the resulting bookmark works correctly and no Session Token entry is created in the Keychain.
This provides a reliable workaround.
Workaround
The bookmark reconnects successfully and no problematic Keychain entry is created.
Cleanup script
Replace
my-profilewith the name of your AWS CLI profile.Notes
The issue is fully reproducible on my system.
The trigger appears to be the creation of the Session Token entry in the macOS Keychain. As long as this entry does not exist (or "Add to Keychain" is disabled when creating the bookmark via New Connection), reconnecting works reliably.