SFTP using Password or SSH public key


I have created an SFTP server using the AWS Tranfer family. The identity provider is (The custom IDentity provider) that will use the lambda function to check with the AWS Secrets manager the password and username to log in. Now, I am looking to update the lambda function to be able to authenticate with a Password or Public key. At the secret manager, I've added a new key: (SSHPublicKeys) and defined the value of the public key, and in the Python code, I defined checking for the public key. The missing, as how to let the lambda python code compare the private key used by the user with the public key defined at the AWS Secrets manager!

1 Answer

Hello. To allow your Lambda function to authenticate using a public key, you should compare the presented public key with the one stored in AWS Secrets Manager. However, the client/user would never send their private key. Instead, the authentication process works as follows. Code snippet how you can use a key:

import boto3
import json

def lambda_handler(event, context):
    # Your logic to get the username from the event
    username = event['username']

    # Fetch the user secret from AWS Secrets Manager
    client = boto3.client('secretsmanager')
    response = client.get_secret_value(SecretId='YOUR_SECRET_ID')
    secret = json.loads(response['SecretString'])

    # Check password if provided
    if 'password' in event:
        user_password = event['password']
        if user_password != secret.get('password'):
            # Invalid password
            return {
                'status': 'DENY'

    # Check SSH public key if provided
    elif 'publicKey' in event:
        # In a real-world scenario, you'd probably have multiple keys and need to iterate over them.
        stored_public_key = secret.get('SSHPublicKeys')

        if event['publicKey'] != stored_public_key:
            # Invalid public key
            return {
                'status': 'DENY'

    # If neither password nor public key is provided, or any other checks you want to implement
        return {
            'status': 'DENY'

    return {
        'status': 'OK',
        'role': 'arn:aws:iam::ACCOUNT_ID:role/YOUR_SFTP_ROLE',
        'policy': 'YOUR_POLICY'

Regards, Andrii

profile picture
answered 8 months ago
profile picture
reviewed 4 days ago
  • Hi, I have a similar problem but I can't acess this "public-key" field in my code. Am I doing something wrong in how my AWS Transfer family sftp server is configured ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions