Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen

Access denied using Transfer Family with Lambda Identity Provider

0

Hi all, I need to create my SFTP service using AWS Transfer Family and Lambda as Identity Provider and S3 as Storage.

I created my Lambda function and authentication works but I can't show list of files.

My Node.js lambda is:

exports.handler = async (event) => {
    return {
        "Role":"arn:aws:iam::356173882118:role/sftp-access-s3"
    }
};

Identity provider testing response is:

{
    "Response": "{\"HomeDirectoryType\":\"PATH\",\"Role\":\"arn:aws:iam::356173882118:role/sftp-access-s3\",\"UserName\":\"dasdasd\",\"IdentityProviderType\":\"AWS_LAMBDA\"}",
    "StatusCode": 200,
    "Message": ""
}

My role sftp-access-s3 has a policy and a trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::tecnoin-ftp-bucket"
            ],
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::tecnoin-ftp-bucket/*"
            ],
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "transfer.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I can connect successfully with my ftp client but then i can't see the files. I receive this error:

Permission denied.
Error code: 3
Error message from server (US-ASCII): Access denied

On cloud Watch:

luca.1e5bad7f45e09f0b CONNECTED SourceIP=165.225.202.99 User=luca HomeDir=/ Client=SSH-2.0-WinSCP_release_5.17.10 Role=arn:aws:iam::356173882118:role/sftp-access-s3 UserPolicy="{\"Version\": \"2012-10-17\",\"Statement\": [  {\"Action\": [  \"s3:ListBucket\",  \"s3:GetBucketLocation\"],\"Resource\": [  \"arn:aws:s3:::tecnoin-ftp-bucket\"],\"Effect\": \"Allow\",\"Sid\": \"ReadWriteS3\"  },  {\"Action\": [  \"s3:PutObject\",  \"s3:GetObject\",  \"s3:DeleteObject\",  \"s3:DeleteObjectVersion\",  \"s3:GetObjectVersion\",  \"s3:GetObjectACL\",  \"s3:PutObjectACL\"],\"Resource\": [  \"arn:aws:s3:::tecnoin-ftp-bucket/*\"],\"Effect\": \"Allow\",\"Sid\": \"\"  }]}" Kex=ecdh-sha2-nistp256 Ciphers=aes256-ctr,aes256-ctr

luca.1e5bad7f45e09f0b ERROR Message="Access denied"

Could you please support me to solve the issue?

Thanks

gefragt vor 2 Jahren532 Aufrufe
1 Antwort
0

Hello luk3tt0@,

Looking at the Test-IdentityProvider output, I don't see the HomeDirectory Field present. This would imply HomeDirectory as /. Further, the log snippet from CloudWatch also mentions the same: User=luca HomeDir=/.

When HomeDirectory is /, User lands in root of S3 where an ls operation lists all the buckets in their account. Since the permissions that you shared don't include s3:ListAllMyBuckets permission for Resource: * the operation returns Access Denied correctly. To resolve this:

  • Either update the User configuration to include the HomeDirectory Field to which you have granted permissions.
  • Or if you want to be able to list all buckets you have in your account, update the IAM Role permissions to have s3:ListAllMyBuckets for Resource: *.

Let me know if you have any other questions.

-- Sagar.

AWS
EXPERTE
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen