By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to specify bucket with custom identity provider

0

I've customized my identity provider using the template and instructions available here:

https://docs.aws.amazon.com/transfer/latest/userguide/authenticating-users.html

I'm able to get a correct response from my API and successfully log while testing in AWS Transfer and with FileZilla. However, it's not actually allowing a user to view existing files or upload new files. Here is the response from the identity provider API:

{
    "Policy": "<policy granting full access to bucket>",
    "Role": "<role with full access to S3>",
    "HomeDirectory": "/<my bucket>/test"
}

I'm assuming this is acceptable based off the information on these pages:

https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-user.html

However, FileZilla gives me the following log:

Status:	Connecting to sftp.mydomain.com...
Status:	Using username "test". 
Status:	Connected to 123456.server.transfer.us-east-1.amazonaws.com
Status:	Retrieving directory listing...
Status:	Listing directory /<my bucket>/test
Error:	Unknown eventType 37
Error:	Failed to retrieve directory listing

So I tried using logical directories instead using the information in the previous links. This is an example response from the API:

{
    "Policy": "<policy granting full access to bucket>",
    "Role": "<role with full access to S3>",
    "HomeDirectoryType": "LOGICAL",
    "HomeDirectoryDetails": [
        {
            "Entry": "/",
            "Target": "/<my bucket>/test"
        }
    ]
}

I updated my UserConfigResponseModel in the API Gateway to this:

{
    "$schema":"http://json-schema.org/draft-04/schema#",
    "title":"UserUserConfig",
    "type":"object",
    "properties":
    {
        "Role":{"type":"string"},
        "Policy":{"type":"string"},
        "HomeDirectory":{"type":"string"},
        "HomeDirectoryType":{"type":"string"},
        "HomeDirectoryDetails":
        {
          "type":"array",
          "items":
          {
              "type":"object",
              "properties":
              {
                  "Entry":{"type":"string"},
                  "Target":{"type":"string"}
              }
          }
        },
        "PublicKeys":
        {
            "type":"array",
            "items":{"type":"string"}
        }
    }
}

When I test this in AWS Transfer, I get the following response:

Unable to call identity provider: Unable to unmarshall response (We expected a VALUE token but got: START_ARRAY). Response Code: 200, Response Text: OK

All of this is very frustrating because the responses I am getting do not match what I would expect to see after reading the documentation. My question is this: how do I specify a bucket when using a custom identity provider in AWS Transfer.

Edited by: paul_hatcher on May 19, 2020 9:26 AM

Topics
Migration & Modernization
Tags
AWS Transfer Family
Language
English
paul_hatcher
asked 4 years ago591 views
1 Answer
0

Hi paul_hatcher,

For logical directories to work, the HomeDirectoryDetails field needs to be a JSON string, not an array. The following link will give you a better idea on what the field should be.

https://aws.amazon.com/blogs/storage/using-aws-sftp-logical-directories-to-build-a-simple-data-distribution-service/

You should use the following schema for “HomeDirectoryDetails” to make it work:

“HomeDirectoryDetails”:{“type”:”string”}

If you have other issues, please let us know.

Thanks.

AWS-User-5249188
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content