Access denied using Transfer Family with Lambda Identity Provider

Question

Hi all, I need to create my SFTP service using AWS Transfer Family and Lambda as Identity Provider and S3 as Storage.

I created my Lambda function and authentication works but I can't show list of files.

My Node.js lambda is:

```
exports.handler = async (event) => {
    return {
        "Role":"arn:aws:iam::356173882118:role/sftp-access-s3"
    }
};

```

Identity provider testing response is:
```
{
    "Response": "{\"HomeDirectoryType\":\"PATH\",\"Role\":\"arn:aws:iam::356173882118:role/sftp-access-s3\",\"UserName\":\"dasdasd\",\"IdentityProviderType\":\"AWS_LAMBDA\"}",
    "StatusCode": 200,
    "Message": ""
}
```

My role sftp-access-s3 has a policy and a trust relationship:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::tecnoin-ftp-bucket"
            ],
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::tecnoin-ftp-bucket/*"
            ],
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
```

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "transfer.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

I can connect successfully with my ftp client but then i can't see the files. I receive this error:

```
Permission denied.
Error code: 3
Error message from server (US-ASCII): Access denied
```

On cloud Watch:

```
luca.1e5bad7f45e09f0b CONNECTED SourceIP=165.225.202.99 User=luca HomeDir=/ Client=SSH-2.0-WinSCP_release_5.17.10 Role=arn:aws:iam::356173882118:role/sftp-access-s3 UserPolicy="{\"Version\": \"2012-10-17\",\"Statement\": [  {\"Action\": [  \"s3:ListBucket\",  \"s3:GetBucketLocation\"],\"Resource\": [  \"arn:aws:s3:::tecnoin-ftp-bucket\"],\"Effect\": \"Allow\",\"Sid\": \"ReadWriteS3\"  },  {\"Action\": [  \"s3:PutObject\",  \"s3:GetObject\",  \"s3:DeleteObject\",  \"s3:DeleteObjectVersion\",  \"s3:GetObjectVersion\",  \"s3:GetObjectACL\",  \"s3:PutObjectACL\"],\"Resource\": [  \"arn:aws:s3:::tecnoin-ftp-bucket/*\"],\"Effect\": \"Allow\",\"Sid\": \"\"  }]}" Kex=ecdh-sha2-nistp256 Ciphers=aes256-ctr,aes256-ctr

luca.1e5bad7f45e09f0b ERROR Message="Access denied"
```

Could you please support me to solve the issue?

Thanks

Answer

Hello luk3tt0@,

Looking at the Test-IdentityProvider output, I don't see the HomeDirectory Field present. This would imply HomeDirectory as `/`. Further, the log snippet from CloudWatch also mentions the same: `User=luca HomeDir=/`.

When HomeDirectory is `/`, User lands in root of S3 where an `ls` operation lists all the buckets in their account. Since the permissions that you shared don't include `s3:ListAllMyBuckets` permission for `Resource: *` the operation returns Access Denied correctly. To resolve this: 
- Either update the User configuration to include the HomeDirectory Field to which you have granted permissions. 
- Or if you want to be able to list all buckets you have in your account, update the IAM Role permissions to have `s3:ListAllMyBuckets` for `Resource: *`.

Let me know if you have any other questions.

-- Sagar.

Access denied using Transfer Family with Lambda Identity Provider

Relevanter Inhalt