En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

AWS SFTP Custom authentication with API Gateway and EFS as backend storage.

0

I'm following the cloud formation template provided the below URL to create AWS SFTP service with custom Identity Provider as APi Gateway and Secret Manager to store the user credentials. The API gateway to integrate between SFTP Transfer server and lambda function that processes the gateway request and queries the Secret Manager.
Is the password authentication with custom Identity Provider as API Gateway and EFS specifically supported in AWS? If so, can someone hint me as to how to configure the store in Secret Manager to configure the UID, GID, Secondary GID? I'm specifically looking for help on this.
Most of the documentation talks only about Transfer family with S3 as backend storage including the examples on scope down policy etc.. Any help on this requirement is highly appreciated.

https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-for-sftp-using-aws-secrets-manager/

Sujets
Migration et modernisation
Balises
Transfert de famille AWS
Langue
English
srinathaws
demandé il y a 3 ans1180 vues
2 réponses
0

Hello srinathaws@,

To answer your question, Yes, Custom IDP with EFS is supported by AWS Transfer Family.
In regards to your question for setting up custom IDP with EFS, you can use the following parameters for your User configuration: (Adding Key:Value pairs)

Password: <password>
Role: arn:aws:iam::<account-id>:role/sftp-efs-full-access
HomeDirectoryType: LOGICAL
HomeDirectoryDetails: [{"Entry": "/abc", "Target": "/<fs-id>/abc"}]
PosixProfile: {"Uid": 123, "Gid": 456,"SecondaryGids": []}

Further, the default Lambda code doesn't include PosixProfile in its response to API Gateway. And therefore, you would have to update it such that it fetches PosixProfile from Secrets Manager and forwards it. Following are 2 lines you can add within the Lambda code. Typically, you would want to add them at the same place where you fetch the Role details from the Secret.

Example: 

if 'Role' in resp_dict:
        resp_data['Role'] = resp_dict['Role']
    else:
        print("No field match for role - Set empty string in response")
        resp_data['Role'] = ''

if 'PosixProfile' in resp_dict:
        resp_data['PosixProfile'] = json.loads(resp_dict['PosixProfile'])

Let me know if you have questions.

  • Sagar
AWS
EXPERT
sagarb-aws
répondu il y a 3 ans
0

Hello,

I have stored the "PosixProfile" in the Lambda code, but it only works with this syntax: if PosixProfile: posixprofile = lookup(secret_dict, "PosixProfile", input_protocol) if posixprofile: response_data["PosixProfile"] = json.loads(posixprofile)

Unfortunately, I can't connect to the EFS using FileZila: Error message in the log: AUTH_FAILURE Method=password User=-efs Message="HomeDirectory must be an absolute path starting with '/'" SourceIP=

I have the assumption that something has changed with these keys: HomeDirectoryType: LOGICAL HomeDirectoryDetails: [{"Entry": "/abc", "Target": "/<fs-id>/abc"}]

I followed this guide: https://aws.amazon.com/en/blogs/storage/enable-password-authentication-for-aws-transfer-family-using-aws-secrets-manager-updated/

BR

rePost-User-9563923
répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents