Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Transfer Family default PGP secret

0

Wondering how to use the capacity of a decrypt file step in a workflow to use a default pgp private key as described in the documentation: https://docs.aws.amazon.com/transfer/latest/userguide/key-management.html#manage-pgp-keys Secret is stored with the name: aws/transfer/{server-id}/@pgp-default

Logs from workflow: User: {arn-role} is not authorized to perform: secretsmanager:GetSecretValue on resource: aws/transfer/{server-id}/{username} because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: ; Proxy: null)

Any advice would be much appreciated.

Themen
Migration und Modernisierung
Tags
AWS Transfer for SFTPAWS Transfer Family
Sprache
English
Olivier
gefragt vor 7 Monaten597 Aufrufe
3 Antworten
0

Hi there,

Transfer Family needs to discover the "named secret" before failing back to the "default secret". I suspect you need to grant access to all secrets for a Transfer Family server and not only to the default secret. Try changing the Resource to:

arn:aws:secretsmanager:eu-west-3:{accountId}:secret:aws/transfer/{serverId}/*"

instead of:

arn:aws:secretsmanager:eu-west-3:{accountId}:secret:aws/transfer/{serverId}/@pgp-default-...."

I hope this helps.

AWS
Fabio_L
beantwortet vor 7 Monaten
  • Olivier
    vor 7 Monaten

    Hi Fabio,

    Looks like an evidence when reading your comment. Will give it a try.

    Thanks a lot !

0

Hi there,

It seems like the IAM role configured for the managed workflows is missing the necessary permissions to access the PGP key stored in AWS Secrets Manager. Make sure that in the IAM policy attached to the IAM role you have a statement similar to the one below:

{
        "Sid": "Decrypt",
        "Effect": "Allow",
        "Action": [
            "secretsmanager:GetSecretValue"
        ],
        "Resource": "arn:aws:secretsmanager:region:account-ID:secret:aws/transfer/*"
}

Please review the required permissions here: https://docs.aws.amazon.com/transfer/latest/userguide/workflow-execution-role.html#example-workflow-role-copy-tag You might also take a look at this AWS blog post: https://aws.amazon.com/blogs/storage/encrypt-and-decrypt-files-with-pgp-and-aws-transfer-family/

I hope this helps. Fabio

AWS
Fabio_L
beantwortet vor 7 Monaten
0

Hi Fabio,

Thanks for your answer. Actually, the workflow role used define access to the secret @pgp-default:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "secretsmanager:GetSecretValue",
                "s3:GetObjectTagging",
                "s3:ListBucket",
                "s3:PutObjectTagging",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:secretsmanager:eu-west-3:{accountId}:secret:aws/transfer/{serverId}/@pgp-default-....",
                "...",
                "arn:aws:s3:::{bucket}",
                "arn:aws:s3:::{bucket}/*",
            ]
        }
    ]
}

If I create a dedicated named secret for user (and adapt role), everything works smoothly. Seems like the workflow do not fallback on the "default" secret when the one for a dedicated user is not found.

Olivier
beantwortet vor 7 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt