Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Logical Directories not working with multiple users

0

Good day

I've implemented the custom IDP using the template (aws-transfer-custom-idp-secrets-manager-apig.template.yml) provided.
I've created a user in secrets manager and attached the role containing the below policy in which I explicitly specify the users username as directory, indicated as "user1" for demonstration purposes. I am then able to successfully authenticate via SSH or Username/Password methods. I then created a new role/policy for a new user and specify the new user directory as "user2" in the policy. The problem is with the new user it authenticates fine however upon login it generates an "access denied" error and does not seem to place the user in the logical directory specified in secrets manager. This error persists with each new user I've attempted to create using the same details as the initial user1.Please assist, I've attached the user format as inserted to Secrets Manager as well as the policy below for your perusal. Thanks

Secrets Manager User PLAINTEXT stored as "SFTP/user2" :
{
"Password": "password",
"Role": "arn:aws:iam::111111111111:role/rolename",
"PublicKey": "ssh-rsa AAAA",
"HomeDirectoryType": "LOGICAL",
"HomeDirectoryDetails": "[{"Entry": "/", "Target": "/bucketname/user2"}]"
}

POLICY :

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::bucketname/user2/in/",
"arn:aws:s3:::bucketname/user2/out/"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucketname/user2/"
}
]
}

Note, this policy works for our use case in that it allows a user to GET/PUT to the in/out folders however denies them from PUT at their logical root. The s3 structure is as follows: bucketname/user2/folders and again it works with the first user created as user1.

Thanks

Temas
Migración y modernización
Etiquetas
AWS Transfer Family
Idioma
English
zayneR
preguntada hace 3 años255 visualizaciones
2 Respuestas
0

Hello zayneR,

Could you please send me a private message with the server id, region and the usernames (of the user which is working and one of the users who has an issue)?

Regards,
Panagioitis

AWS-User-0349305
respondido hace 3 años
0

For those wondering, the DENY statement in my policy was not necessary and needed to be replaced by the ALLOW statement below:

{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucketname/user1/"
}

Thanks to PanagiotisI-AWS

zayneR
respondido hace 3 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante