Custom Identity Provider - works until Policy is defined?

0

Hi, I've got a server setup with a custom identity provider running a lambda function. With only a Role defined in the response, my user can log in (but of course has more access than is desired).

When I add the Policy inline to the lambda response, the login fails.

Testing with test-identity-provider yields 200 success when no Policy is defined. However, when a Policy is defined (it seems any policy, with or without variables) testing with test-identity-provider I get the following:

"Message": "Unable to call identity provider: Unable to unmarshall response (We expected a VALUE token but got: START_OBJECT). Response Code: 200, Response Text: OK",
"StatusCode": 500,

The policy I'm using is not special, just an example found online:

  const policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "in/${transfer:UserName}/*",
                        "in/${transfer:UserName}"
                    ]
                }
            }
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/*"
         }
    ]
};

and later:

    response = {
      Role: 'my_role_arn',
      Policy: policy,  
      HomeDirectory: '/my-bucket/in/myuser', 
    };

Anybody got any hints about what I'm doing wrong?
Thanks.

Edited by: TTF2019 on Apr 13, 2019 5:10 AM

TTF2019
asked 4 years ago65 views
4 Answers
0
Accepted Answer

Hey,

I think your problem is the policy type. You need to return the json string, rather than the object.

aperson
answered 4 years ago
0

Thanks!

Changing the last part to this fixed the issue by making the policy a string.

response = {
      Role: 'my_role_arn',
      Policy: JSON.stringify(policy),  
      HomeDirectory: '/my-bucket/in/myuser', 
    };
TTF2019
answered 4 years ago
0

Where did you change the json stringify?

answered 3 years ago
0

PriorityITS:

Are you still seeing issues using Scope Down Policy with with your Custom Identity Provider integration? I'm not sure if you are aware, but with our recent logical directories for S3 feature you can control access by mapping S3 paths to end user visible paths. That way only those portions of your S3 bucket would be visible to them. Here are a few resources to get started:

  1. The announcement for this feature (for use cases where it's applicable): https://aws.amazon.com/about-aws/whats-new/2019/09/aws-transfer-for-sftp-now-supports-logical-directories-for-amazon-s3/
  2. Blog post on how to "chroot" your users to a designated folder:https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/
  3. Building a data distribution service using logical directories:https://aws.amazon.com/blogs/storage/using-aws-sftp-logical-directories-to-build-a-simple-data-distribution-service/

Please let me know if you have any questions or want to provide me details on your use case over private message.

Thanks,
Smitha

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions