AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

AWS File Transfer Family Server and IAM role setup

0

Hi All,

We have setup AWS file transfer server with AWS directory service (connected to Microsoft AD) authentication. As per use case, once user login to sftp, user should be able to see two directory within their own folder. {username}/folder1 {username}/folder2

I have setup below Access policy and IAM policy (attached to S3)

create-access CLI:

aws transfer create-access \
    --home-directory-type LOGICAL \
    --home-directory-mappings '[{"Entry":"/folder1","Target":"/bucket_name/${transfer:UserName}/folder1" },{ "Entry": "/folder2", "Target":"/bucket_name/${transfer:UserName}/folder2"}]' \
    --role arn:aws:iam::account_id:role/iam_role \
    --server-id s-1234567876454ert \
    --external-id S-1-2-34-56789123-12345678-1234567898-1234

access policy was created successfully.

Below IAM role is attached to S3 bucket and file-transfer server.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name"
            ],
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name/${transfer:UserName}/*"
            ],
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}

When user login to sftp, they do not see folder1 & folder2 in their own directory. Can anyone help if anything missing in IAM policy?

Thank You

トピック
セキュリティ、アイデンティティ、コンプライアンス移行と近代化ストレージ
タグ
AWS Identity and Access ManagementAWS Transfer for SFTPAWS Transfer FamilyIAM ポリシーS3 選択
言語
English
profile picture
User-07051983
質問済み 2年前509ビュー
3回答
0

Does the IAM role have permissions to folder1 and folder2 locally?

jschwar313
回答済み 2年前
  • User-07051983
    2年前

    Hi @jschwar313

    Thanks for reply. Yes, IAM role has permission to all folders within user directory. "arn:aws:s3:::bucket_name/${transfer:UserName}/*"

    When user logged in, they land into their own directory (based on username) but "folder1" and "folder2" directory are missing. I checked directly into S3 bucket as well with admin access, dont see directory auto created under username folder. However folder based on username is created automatically under S3.

0

Hello,

Thank you for your response. I understand that the SFTP user is unable to see "folder1" and "folder2" when connected.

Please note that these folders need to be first created in S3; these sub-folders are not automatically created on your behalf.

I tested a setup at my end to validate this configuration. If these folders are not pre-created in S3, then the SFTP user will not be able to see them when connected via SFTP.

Requesting you to create - "folder1" and "folder2" under "${transfer:UserName}" prefix in the S3 bucket and then try to reconnect from SFTP.

Thank you.

AWS
サポートエンジニア
Samreen_T
回答済み 2年前
0

I tried to create folder under "${transfer:UserName}" prefix but it does not allow. I am sure, I am doing something wrong. We have 3000 users and each user will land in their own directory only and should see "folder1" and "folder2" thats the use case.

Error

profile picture
User-07051983
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ