Logical Directories not working with multiple users

Question

Good day  
  
I've implemented the custom IDP using the template (aws-transfer-custom-idp-secrets-manager-apig.template.yml) provided.  
I've created a user in secrets manager and attached the role containing the below policy in which I explicitly specify the users username as directory, indicated as "user1" for demonstration purposes. I am then able to successfully authenticate via SSH or Username/Password methods. I then created a new role/policy for a new user and specify the new user directory as "user2" in the policy. The problem is with the new user it authenticates fine however upon login it generates an "access denied" error and does not seem to place the user in the logical directory specified in secrets manager. This error persists with each new user I've attempted to create using the same details as the initial user1.Please assist, I've attached the user format as inserted to Secrets Manager as well as the policy below for your perusal. Thanks  
  
Secrets Manager User PLAINTEXT stored as "SFTP/user2" :   
{  
  "Password": "password",  
  "Role": "arn:aws:iam::111111111111:role/rolename",  
  "PublicKey": "ssh-rsa AAAA",  
  "HomeDirectoryType": "LOGICAL",  
  "HomeDirectoryDetails": "\[{"Entry": "/", "Target": "/bucketname/user2"}]"  
}  
  
POLICY :  
  
{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Sid": "VisualEditor0",  
            "Effect": "Allow",  
            "Action": \[  
                "s3:ListBucket"  
            ],  
            "Resource": "arn:aws:s3:::bucketname"  
        },  
        {  
            "Sid": "VisualEditor1",  
            "Effect": "Allow",  
            "Action": \[  
                "s3:PutObject",  
                "s3:GetObject",  
                "s3:DeleteObject",  
                "s3:GetObjectVersion"  
            ],  
            "Resource": \[  
                "arn:aws:s3:::bucketname/user2/in/*",  
                "arn:aws:s3:::bucketname/user2/out/*"  
            ]  
        },  
        {  
            "Sid": "VisualEditor2",  
            "Effect": "Deny",  
            "Action": \[  
                "s3:PutObject",  
                "s3:GetObject",  
                "s3:DeleteObject",  
                "s3:GetObjectVersion"  
            ],  
            "Resource": "arn:aws:s3:::bucketname/user2/"  
        }  
    ]  
}  
  
Note, this policy works for our use case in that it allows a user to GET/PUT to the in/out folders however denies them from PUT at their logical root. The s3 structure is as follows: bucketname/user2/folders and again it works with the first user created as user1.  
  
Thanks

Answer

Hello zayneR,  
  
Could you please send me a private message with the server id, region and the usernames (of the user which is working and one of the users who has an issue)?  
  
Regards,  
Panagioitis

Answer

For those wondering, the DENY statement in my policy was not necessary and needed to be replaced by the ALLOW statement below:  
  
{  
"Sid": "VisualEditor2",  
"Effect": "Allow",  
"Action": \[  
"s3:GetObject",  
"s3:GetObjectVersion"  
],  
"Resource": "arn:aws:s3:::bucketname/user1/"  
}  
  
Thanks to 	PanagiotisI-AWS

Logical Directories not working with multiple users

関連するコンテンツ