- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hi there,
Transfer Family needs to discover the "named secret" before failing back to the "default secret". I suspect you need to grant access to all secrets for a Transfer Family server and not only to the default secret. Try changing the Resource to:
arn:aws:secretsmanager:eu-west-3:{accountId}:secret:aws/transfer/{serverId}/*"
instead of:
arn:aws:secretsmanager:eu-west-3:{accountId}:secret:aws/transfer/{serverId}/@pgp-default-...."
I hope this helps.
Hi there,
It seems like the IAM role configured for the managed workflows is missing the necessary permissions to access the PGP key stored in AWS Secrets Manager. Make sure that in the IAM policy attached to the IAM role you have a statement similar to the one below:
{
"Sid": "Decrypt",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:region:account-ID:secret:aws/transfer/*"
}
Please review the required permissions here: https://docs.aws.amazon.com/transfer/latest/userguide/workflow-execution-role.html#example-workflow-role-copy-tag You might also take a look at this AWS blog post: https://aws.amazon.com/blogs/storage/encrypt-and-decrypt-files-with-pgp-and-aws-transfer-family/
I hope this helps. Fabio
Hi Fabio,
Thanks for your answer. Actually, the workflow role used define access to the secret @pgp-default:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"secretsmanager:GetSecretValue",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:secretsmanager:eu-west-3:{accountId}:secret:aws/transfer/{serverId}/@pgp-default-....",
"...",
"arn:aws:s3:::{bucket}",
"arn:aws:s3:::{bucket}/*",
]
}
]
}
If I create a dedicated named secret for user (and adapt role), everything works smoothly. Seems like the workflow do not fallback on the "default" secret when the one for a dedicated user is not found.
Contenus pertinents
- demandé il y a 7 mois
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 4 mois
Hi Fabio,
Looks like an evidence when reading your comment. Will give it a try.
Thanks a lot !