AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

What is Custom Identity Provider policy format?

0

I am trying to combine AWS Transfer Family, Custom Identity Provider, Lambda functions, and logical directories. We have an AWS Transfer Family that is backed by an S3 bucket. The idea is when a user logs into our SFTP endpoint we use a lambda function to authenticate the user and use logical directories to control which directories they see and the policy to control what they are able to do inside of these directories.

I can't quite figure out how to set the resource values to control permissions.

Everything works without a policy set but when I set the policy like below, I cannot browse or publish to the SFTP endpoint after logging in:

{
    "Version": "2012-10-17",
    "Statement": [
            {
                "Sid": "Folder_Access",
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:DeleteObject",
                    "s3:ListBucket"
                    "s3:ListObjectsV2"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket-name",
                    "arn:aws:s3:::bucket-name*",
                    "arn:aws:s3:::bucket-name/*"
                    "*"
                ]
            }
        ]
    }
주제
마이그레이션 및 현대화
태그
AWS Transfer for SFTP
언어
English
bri
질문됨 6달 전575회 조회
1개 답변
0

I believe you are talking about session policies here, if you are not can you clarify what you mean by policy then?

Session policies are configured in the same fashion as IAM role policies except that session policies can contain certain variables. Session policies can only limit what an IAM role can do and can never grant access to anything an IAM role can't do. For example, if you are using KMS keys for S3 object encryption then the session policy will need to allow KMS operations as well. (If the operation is not called out in the session policy then it will be denied by IAM.)

When it comes to the resources, you would specify the bucket and prefixes you want to access, not the logical directory. Certain permissions like "s3:ListBucket" can only accept the bucket arn, while other permissions can accept the bucket arn or arn with full path to prefix. This can either be combined in a single statement like above or broken up into multiple statements.

The policy would also need to be formatted as JSON so when dealing with arrays you will need a comma after all but the last line. I see some missing commas in the above example.

We have example session policies available here: https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html#session-policy

If you continue having issues after reviewing the example policies I would suggest reaching out to support as we may need to review your specific policies or server logs to see what could be causing any issues.

AWS
Brian C
답변함 6달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠