Custom Identity Provider - works until Policy is defined?

Question

Hi, I've got a server setup with a custom identity provider running a lambda function.  With only a Role defined in the response, my user can log in (but of course has more access than is desired).  
  
When I add the Policy inline to the lambda response, the login fails.  
  
Testing with test-identity-provider yields 200 success when no Policy is defined.  However, when a Policy is defined (it seems any policy, with or without variables) testing with test-identity-provider I get the following:  
  
"Message": "Unable to call identity provider: Unable to unmarshall response (We expected a VALUE token but got: START_OBJECT). Response Code: 200, Response Text: OK",  
    "StatusCode": 500,  
  
The policy I'm using is not special, just an example found online:

```
  const policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "in/${transfer:UserName}/*",
                        "in/${transfer:UserName}"
                    ]
                }
            }
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/*"
         }
    ]
};
```

and later:

```
    response = {
      Role: 'my_role_arn',
      Policy: policy,  
      HomeDirectory: '/my-bucket/in/myuser', 
    };
```

Anybody got any hints about what I'm doing wrong?  
Thanks.  
  
Edited by: TTF2019 on Apr 13, 2019 5:10 AM

Accepted Answer

Hey,  
  
I think your problem is the policy type. You need to return the json string, rather than the object.

Answer

Thanks!  
  
Changing the last part to this fixed the issue by making the policy a string.

```
response = {
      Role: 'my_role_arn',
      Policy: JSON.stringify(policy),  
      HomeDirectory: '/my-bucket/in/myuser', 
    };
```

Answer

PriorityITS:  
  
Are you still seeing issues using Scope Down Policy with with your Custom Identity Provider integration? I'm not sure if you are aware, but with our recent logical directories for S3 feature you can control access by mapping S3 paths to end user visible paths. That way only those portions of your S3 bucket would be visible to them. Here are a few resources to get started:  
1. The announcement for this feature (for use cases where it's applicable): https://aws.amazon.com/about-aws/whats-new/2019/09/aws-transfer-for-sftp-now-supports-logical-directories-for-amazon-s3/  
2. Blog post on how to "chroot" your users to a designated folder:https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/  
3. Building a data distribution service using logical directories:https://aws.amazon.com/blogs/storage/using-aws-sftp-logical-directories-to-build-a-simple-data-distribution-service/  
  
Please let me know if you have any questions or want to provide me details on your use case over private message.  
  
Thanks,  
Smitha

Answer

Where did you change the json stringify?

Custom Identity Provider - works until Policy is defined?

関連するコンテンツ