AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

Access denied using Transfer Family with Lambda Identity Provider


Hi all, I need to create my SFTP service using AWS Transfer Family and Lambda as Identity Provider and S3 as Storage.

I created my Lambda function and authentication works but I can't show list of files.

My Node.js lambda is:

exports.handler = async (event) => {
    return {

Identity provider testing response is:

    "Response": "{\"HomeDirectoryType\":\"PATH\",\"Role\":\"arn:aws:iam::356173882118:role/sftp-access-s3\",\"UserName\":\"dasdasd\",\"IdentityProviderType\":\"AWS_LAMBDA\"}",
    "StatusCode": 200,
    "Message": ""

My role sftp-access-s3 has a policy and a trust relationship:

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Sid": ""
    "Version": "2012-10-17",
    "Statement": [
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": ""
            "Action": "sts:AssumeRole"

I can connect successfully with my ftp client but then i can't see the files. I receive this error:

Permission denied.
Error code: 3
Error message from server (US-ASCII): Access denied

On cloud Watch:

luca.1e5bad7f45e09f0b CONNECTED SourceIP= User=luca HomeDir=/ Client=SSH-2.0-WinSCP_release_5.17.10 Role=arn:aws:iam::356173882118:role/sftp-access-s3 UserPolicy="{\"Version\": \"2012-10-17\",\"Statement\": [  {\"Action\": [  \"s3:ListBucket\",  \"s3:GetBucketLocation\"],\"Resource\": [  \"arn:aws:s3:::tecnoin-ftp-bucket\"],\"Effect\": \"Allow\",\"Sid\": \"ReadWriteS3\"  },  {\"Action\": [  \"s3:PutObject\",  \"s3:GetObject\",  \"s3:DeleteObject\",  \"s3:DeleteObjectVersion\",  \"s3:GetObjectVersion\",  \"s3:GetObjectACL\",  \"s3:PutObjectACL\"],\"Resource\": [  \"arn:aws:s3:::tecnoin-ftp-bucket/*\"],\"Effect\": \"Allow\",\"Sid\": \"\"  }]}" Kex=ecdh-sha2-nistp256 Ciphers=aes256-ctr,aes256-ctr

luca.1e5bad7f45e09f0b ERROR Message="Access denied"

Could you please support me to solve the issue?


1개 답변

Hello luk3tt0@,

Looking at the Test-IdentityProvider output, I don't see the HomeDirectory Field present. This would imply HomeDirectory as /. Further, the log snippet from CloudWatch also mentions the same: User=luca HomeDir=/.

When HomeDirectory is /, User lands in root of S3 where an ls operation lists all the buckets in their account. Since the permissions that you shared don't include s3:ListAllMyBuckets permission for Resource: * the operation returns Access Denied correctly. To resolve this:

  • Either update the User configuration to include the HomeDirectory Field to which you have granted permissions.
  • Or if you want to be able to list all buckets you have in your account, update the IAM Role permissions to have s3:ListAllMyBuckets for Resource: *.

Let me know if you have any other questions.

-- Sagar.

답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠