I want my AWS Transfer Family server in my account to access an Amazon Elastic File System (Amazon EFS) file system in another AWS account. I also want to set up my Transfer Family server with cross-account access to the Amazon EFS file system.
Resolution
Follow these steps:
- Create an AWS Identity and Access Management (IAM) role in account A with access to the file system in account B.
- Create a Transfer Family server user that's configured with the IAM role in account A.
- Verify that your Transfer Family server user in account A can access the file system in account B.
Note: The AWS Transfer Family console shows only the Amazon EFS file system in the same account. To use your Transfer Family server with a file system in another account, use the AWS Command Line Interface (AWS CLI) or an AWS SDK.
Create an IAM role in account A with access to the file system
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
-
Create an IAM role for your server users. For the role's IAM policy, use the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RootFileSystemAccess",
"Effect": "Allow",
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
],
"Resource": "arn:aws:elasticfilesystem:region:accountB-id:file-system/file-system-id"
}
]
}
-
Add a policy in the file system for account B that gives permission to the IAM role from account A created in the previous step:
{
"Sid": "EFS-TransferFamily",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccounA-id:role/RoleName"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Resource": "arn:aws:elasticfilesystem:region:accountB-id:file-system/file-system-id"
}
Create a Transfer Family server user with the IAM role in account A
Use the following AWS CLI command create-user to create a Transfer Family user:
$ aws transfer create-user --user-name "sftp" --server-id "SERVER-ID"
--role "arn:aws:iam::accountA-id:role/RoleName" --home-directory "/file-system-id/username"
The command returns the server ID and the user that you created similar to the following:
{
"ServerId": "MY_SERVER_ID",
"UserName": "MY_SERVER_USER_NAME"
}
Verify that your Transfer Family server user in account A can access the bucket in account B
-
Connect to your server as the user that you created. For example, this OpenSSH command connects to an SFTP server:
$ sftp -i myserveruser MY_SERVER_USER_NAME@MY_SERVER_ID.server.transfer.us-east-1.amazonaws.com
-
List the home directory of the bucket. If you use OpenSSH, then run this command:
$ ls
If the command returns the home directory, then your server user has cross-account access to the Amazon EFS file system.
Related information
Create an SFTP-enabled server
Creating file system policies
How do I configure my AWS Transfer Family server to use an Amazon S3 bucket that's in another AWS account?
Configuring cross-account access for Transfer Family