AWS SFTP Custom authentication with API Gateway and EFS as backend storage.

0

I'm following the cloud formation template provided the below URL to create AWS SFTP service with custom Identity Provider as APi Gateway and Secret Manager to store the user credentials. The API gateway to integrate between SFTP Transfer server and lambda function that processes the gateway request and queries the Secret Manager.
Is the password authentication with custom Identity Provider as API Gateway and EFS specifically supported in AWS? If so, can someone hint me as to how to configure the store in Secret Manager to configure the UID, GID, Secondary GID? I'm specifically looking for help on this.
Most of the documentation talks only about Transfer family with S3 as backend storage including the examples on scope down policy etc.. Any help on this requirement is highly appreciated.

https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-for-sftp-using-aws-secrets-manager/

질문됨 3년 전1131회 조회
2개 답변
0

Hello srinathaws@,

To answer your question, Yes, Custom IDP with EFS is supported by AWS Transfer Family.
In regards to your question for setting up custom IDP with EFS, you can use the following parameters for your User configuration: (Adding Key:Value pairs)

Password: <password>
Role: arn:aws:iam::<account-id>:role/sftp-efs-full-access
HomeDirectoryType: LOGICAL
HomeDirectoryDetails: [{"Entry": "/abc", "Target": "/<fs-id>/abc"}]
PosixProfile: {"Uid": 123, "Gid": 456,"SecondaryGids": []}

Further, the default Lambda code doesn't include PosixProfile in its response to API Gateway. And therefore, you would have to update it such that it fetches PosixProfile from Secrets Manager and forwards it. Following are 2 lines you can add within the Lambda code. Typically, you would want to add them at the same place where you fetch the Role details from the Secret.

Example: 

if 'Role' in resp_dict:
        resp_data['Role'] = resp_dict['Role']
    else:
        print("No field match for role - Set empty string in response")
        resp_data['Role'] = ''

if 'PosixProfile' in resp_dict:
        resp_data['PosixProfile'] = json.loads(resp_dict['PosixProfile'])

Let me know if you have questions.

  • Sagar
AWS
전문가
답변함 3년 전
0

Hello,

I have stored the "PosixProfile" in the Lambda code, but it only works with this syntax: if PosixProfile: posixprofile = lookup(secret_dict, "PosixProfile", input_protocol) if posixprofile: response_data["PosixProfile"] = json.loads(posixprofile)

Unfortunately, I can't connect to the EFS using FileZila: Error message in the log: AUTH_FAILURE Method=password User=-efs Message="HomeDirectory must be an absolute path starting with '/'" SourceIP=

I have the assumption that something has changed with these keys: HomeDirectoryType: LOGICAL HomeDirectoryDetails: [{"Entry": "/abc", "Target": "/<fs-id>/abc"}]

I followed this guide: https://aws.amazon.com/en/blogs/storage/enable-password-authentication-for-aws-transfer-family-using-aws-secrets-manager-updated/

BR

답변함 10달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠