- Newest
- Most votes
- Most comments
Hello Mauro,
In regards to your question, the reason why the operation is failing at root bucket level is due to missing HeadObject permissions on the root of the bucket. The permission set that your IAM Role entity has grants permissions to contents within the subfolders and not the subfolders themselves. Therefore, a List operation to root of the bucket fails, however when you explicitly specify the path, the operation succeeds.
To get around this, you could provide permissions within the IAM entity to be able to issue a HeadObject call at root of the bucket. This will then allow you to list and then only allow actions within the specified subfolders.
Example policy -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::sftp-server"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::sftp-server/*/"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::sftp-server/subfolder01/*",
"arn:aws:s3:::sftp-server/subfolder02/*"
]
}
]
}
Could you test this above policy and confirm if it works as desired?
Further to your point - or better, to see only the two subfolders that he has access to, this would be more satisfied by using Logical Directories. Logical Directories allows Users to be mapped to certain directories. Within your User configuration, you could setup the sub-folders as HomeDirectories which would then allow Users to only access them and not any other sub-folders.
Considering the same example as above, the HomeDirectory configuration would look like -
[
{"Entry": "/subfolder01", "Target": "/bucket1/subfolder01"},
{"Entry": "/subfolder02", "Target": "/bucket1/subfolder02"},
]
The permissions model within your IAM Role shall be the same as what you mentioned in your question. When the User logs in, they would see this setup as -
sftp> pwd
Remote working directory: /
sftp> ls
subfolder01 subfolder02
sftp>
If you are setting up your User from Console, the Console equivalent to this is the Restricted checkbox. However, console limits it to only 1 folder. If you require multiple folders within Logical Directories, you would have to use the CLI or the API to configure the same.
Sample AWS-CLI command: aws transfer update-user --server-id <> --user-name <> --home-directory-type LOGICAL --home-directory-mappings '[{"Entry": "/subfolder01", "Target": "/bucket1/subfolder01"}, {"Entry": "/subfolder02", "Target": "/bucket1/subfolder02"}]'
Please update the Policies and CLI commands as required by your use-case.
References:
Logical Directories: https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html
AWS CLI - update-user: https://docs.aws.amazon.com/cli/latest/reference/transfer/update-user.html
Let me know if you have further questions.
Relevant content
asked 7 months ago- asked a year ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 4 months ago
I was able to reach my goal following your instructions about Logical Directories, thanks! Just a note, I run your sample command in PowerShell (Window 10), and had to use double " symbols, to make it work. So, this is the command that worked for me: aws transfer update-user --server-id <> --user-name <> --home-directory-type LOGICAL --home-directory-mappings '[{""Entry"": ""/subfolder01"", ""Target"": ""/bucket1/subfolder01""}, {""Entry"": ""/subfolder02"", ""Target"": ""/bucket1/subfolder02""}]'