By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

FTPS - Lambda - Transfer Family - S3

0

Hi fellas!! I followed the instructions from:

[https://docs.aws.amazon.com/transfer/latest/userguide/custom-identity-provider-users.html#custom-lambda-idp] (Working with custom identity providers)

[https://docs.aws.amazon.com/transfer/latest/userguide/custom-identity-provider-users.html#authentication-lambda-examples] (Default Lambda Functions)

but the lambda function fails: I used a template through Cloudformation:

  • aws-transfer-custom-idp-secrets-manager-lambda.template.yml

The error I get when a ftps client try to LOG IN is:

Error Talking to SecretsManager: ResourceNotFoundException, Message: An error occurred (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets Manager can't find the specified secret.

The lambda function has a related Rol with the Permissions Policies: IAMFullAccess AWSLambdaBasicExecutionRole SecretsManagerReadWrite and a Customer inline:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:eu-west-2:#NUMBER#:secret:aws/transfer/*",
            "Effect": "Allow"
        }
    ]
}

The parameter SecretId that the errored function receives (client.get_secret_value(SecretId=id)) is by concatenating "aws/transfer/" + input_serverId + "/" + input_username

The input IAM user (input_username) has the Policies:

AmazonS3FullAccess AmazonS3ObjectLambdaExecutionRolePolicy AWSLambda_FullAccess AWSLambdaBasicExecutionRole AWSLambdaExecute AWSTransferFullAccess AWSTransferLoggingAccess and a Customer inline:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteS3",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::#S3_BUCKET_ID#"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::#S3_BUCKET_ID#/*"
            ]
        }
    ]
}

Which could be the problem?

Topics
ServerlessComputeMigration & ModernizationSecurity, Identity, & Compliance
Tags
AWS LambdaAWS Transfer FamilyAWS Secrets Manager
Language
English
Arantec Developer
asked 9 months ago368 views
1 Answer
1

Hi,

you should - at least for debug - modify your lambda to log in CloudWatch the ARN of the secret that it tries to access in Secret Manager and see if it matches with the ARN of the secret created by your CFN stack.

ResourceNotFoundException usually means that the resource doesn't exist and not that you don't have the rights to access it.

Best, Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago
  • Arantec Developer
    9 months ago

    Hi Didier, first thanks for your prompt answer. Indeed, I modified the lambda code to write out the SecredId ("aws/transfer/"+input_serverId+"/"+input_username) --> aws/transfer/s-dcf3160ff0fb40c3a/camera_lambda I don't know if that concatenation (provided by the template) is the right way to build the ARN, because doesn't look like an ARN structure (but is an 'alias'?) . The CFN stack creates a LambdaExecutionRole, with the policy LambdaSecretPolicy related with a Resource:

    Fn::Sub: - arn:${AWS::Partition}:secretsmanager:${SecretsRegion}:${AWS::AccountId}:secret:aws/transfer/*

    I guess, following your advisement, that would be the structure that the function should build. I will try it, and let you know the result.

    Thank you!

  • Arantec Developer
    9 months ago

    The CFN template Stack didn't have any Secret Name creation, so I did it in the Secret Manager by my own. Now the function works, returning the proper ['HomeDirectory'] and resp_data['Role'], Role that has permissions:

    • AmazonS3FullAccess, AWSTransferConsoleFullAccess, AWSTransferFullAccess, AmazonS3ObjectLambdaExecutionRolePolicy, SimpleWorkflowFullAccess and a couple costumer inline: 1- { "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "AllowTransferInvocation", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-west-2:#NUMBER#:function:FTP-CAMERA-GetUserConfigLambda-XxgZvF5o7nst", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:transfer:eu-west-2:#NUMBER#:server/s-dcf3160ff0fb40c3a" } } } ] }
  • Arantec Developer
    9 months ago

    2 - Other costumer inline: { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadWriteS3", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::arantec-ftp" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectTagging", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectVersionTagging", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": [ "arn:aws:s3:::arantec-ftp/*" ] } ] }

  • Arantec Developer
    9 months ago

    The Managed workflows execution role is the proper one and the workflow access to the "arn:aws:s3:::arantec-ftp/*". But the FTPS client can't access to the S3 resource, returning "530 Authentication failed." I don't know where it could be the error... keep trying.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content