Key auth with custom identity provider for SFTP


We have an FTP(s) and SFTP set up on AWS Transfer Family, in our own VPC with Cognito as the custom identity provider (APIGW + lambda). We have configured it to accept usernames and passwords and are successfully using it in production.

We want to enable SSH key for the SFTP where clients access and send data with the private key. We have the client's public key but are unclear on how the connection and data transfer flow is for our scenario.

Right now, we are totally in the dark on how to do this. How do we allow clients access via a private key without a username/password configured using our custom identity provider for AWS Transfer Family?

When the client tries to connect to the server, I'm guessing it will go through the custom identity provider (APIGW+Lambda), but we're unsure how to allow the client to proceed to AWS Transfer Family, and where we should be storing and sending the Public Key?

Any help or pointing us in the right direction would help. Thank you!

asked 2 years ago367 views
1 Answer

Figured it out.

In Cognito, add an attribute for pub rsa keys. You can either validate in custom identity provider the sourceIp or whether user exists in cognito, and then include in the response, along with Role and Policy, an array of PublicKeys:
PublicKeys: stringArrayWithPubKey

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions