- 新しい順
- 投票が多い順
- コメントが多い順
Hello cloudminion,
Thank you for reaching out to us.
As you already know Okta can be used as an auth provider which means that from the Lambda function you can make an API call and check whether the user is authenticated or not. After the user is authenticated, you can build a logic in the Lamba function to return the HomeDirectoryMappings. If you are going to use a single mapping to restrict each user to his home directory then you can return back a single entry,target pair and set the target to "/mybucket/${Transfer:UserName}". By doing so, each user who is authenticated will have be restricted to his home folder as the variable "Transfer:UserName" will be replaced with the username. If the mapping is more complex or different for each user you can also use e.g DynamoDB to store the mapping for the user, do a query with the username and return the mapping back.
You may also use custom attributes on your users in Okta and configure the mapping on each user, however, you may need to do multiple API calls from the Lambda (one to authenticate the user and one to get the custom attributes) and you also need to modify the users in Okta which might not be convenient for you.
-- https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm
Lastly, I would recommend to use one of the CloudFormation templates we have which integrates with Secrets Manager and you can easily configure your users and the mapping for each user on Secrets Manager. We have a blog with all the steps on how to run the template and configure your users in Secrets Manager.
-- https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-family-using-aws-secrets-manager-updated/
Please let me know if you have any questions.
Regards,
Panagiotis
Thanks for the answer, that does help with our problem statement. Do you have a CFN template for SFTP deployment with Okta and user mappings.
