- Newest
- Most votes
- Most comments
Hello, the issue you're encountering with listing users on a server with an Identity Provider (IdP) type of AWS_DIRECTORY_SERVICE could be due to several reasons. Here are some steps you can take to troubleshoot the issue:
Check the Identity Provider Configuration: Ensure that the AWS Directory Service directory ID is correctly configured in the IdentityProviderDetails parameter.
Verify Directory Access: Make sure that the directory is accessible and available for use. You can check the directory status in the AWS Directory Service console.
Check User Permissions: Ensure that the user attempting to list the users has the necessary permissions to access the directory and view user information.
Check Server Status: Verify that the server is in a healthy state and is able to communicate with the directory.
Check AWS Transfer Family Logs: Review the AWS Transfer Family logs for any errors or warnings related to the directory or user access.
https://docs.aws.amazon.com/pt_br/transfer/latest/userguide/API_ListUsers.html
Please, accept this answer if useful for you :)
The error message means that the users aren't managed by or contained in the AWS Transfer service, so it is unable to provide a list of them. Your users appear to be in your AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD (https://docs.aws.amazon.com/transfer/latest/userguide/directory-services-users.html).
You'll need to query the users from your AWS Directory Service directory. Integration between AWS Transfer -> AWS Directory Service -> AWS IAM is done by associating an AD group in AWS Directory Service with an AWS IAM role (described in detail in the above documentation article) and making AD users members of those AD groups.
To find which users are associated with a given IAM policy, you should pull the list of users and their group memberships from AWS Directory Service and map them to the IAM roles that are associated with their AD groups. The IAM policies you're asking about would be attached to those IAM roles.
Hi, ListUsers does not apply to AD users who are stored in AD. Also, configuration for Transfer Family is currently per group level through creating accesses (https://docs.aws.amazon.com/transfer/latest/userguide/directory-services-users.html#directory-services-grant-access), so ListAccesses could help. If you require per AD user configuration, please reach out to AWS Support to submit this as a feature request for AWS Transfer Family.
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 5 months ago
When using AD the service does not manage the users. Therefore you cannot use the
list-userscommand to search/list them. Instead the service manages access by defining rules calledAccessand with these we declare attributes like home directory and IAM policy.The relationship between
Accessand the users is defined by the AD group that is bound to theAccess. If you can list the AD users who are members of the given group with some AD management command or PowerShell scripting you could create a potential scripted way to arrive at the desired outcome.Here is a pointer that might get you some results: https://docs.aws.amazon.com/transfer/latest/userguide/directory-services-users.html#managed-ad-prereq
PowerShell has a lot of capabilities but I have not looked any deeper. If you can map from the group SID which is stored in the
Accessdefinition to the AD group and then list the users who are members of the group you are half way there.