By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is Custom Identity Provider policy format?

0

I am trying to combine AWS Transfer Family, Custom Identity Provider, Lambda functions, and logical directories. We have an AWS Transfer Family that is backed by an S3 bucket. The idea is when a user logs into our SFTP endpoint we use a lambda function to authenticate the user and use logical directories to control which directories they see and the policy to control what they are able to do inside of these directories.

I can't quite figure out how to set the resource values to control permissions.

Everything works without a policy set but when I set the policy like below, I cannot browse or publish to the SFTP endpoint after logging in:

{
    "Version": "2012-10-17",
    "Statement": [
            {
                "Sid": "Folder_Access",
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:DeleteObject",
                    "s3:ListBucket"
                    "s3:ListObjectsV2"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket-name",
                    "arn:aws:s3:::bucket-name*",
                    "arn:aws:s3:::bucket-name/*"
                    "*"
                ]
            }
        ]
    }
Topics
Migration & Modernization
Tags
AWS Transfer for SFTP
Language
English
bri
asked 5 months ago558 views
1 Answer
0

I believe you are talking about session policies here, if you are not can you clarify what you mean by policy then?

Session policies are configured in the same fashion as IAM role policies except that session policies can contain certain variables. Session policies can only limit what an IAM role can do and can never grant access to anything an IAM role can't do. For example, if you are using KMS keys for S3 object encryption then the session policy will need to allow KMS operations as well. (If the operation is not called out in the session policy then it will be denied by IAM.)

When it comes to the resources, you would specify the bucket and prefixes you want to access, not the logical directory. Certain permissions like "s3:ListBucket" can only accept the bucket arn, while other permissions can accept the bucket arn or arn with full path to prefix. This can either be combined in a single statement like above or broken up into multiple statements.

The policy would also need to be formatted as JSON so when dealing with arrays you will need a comma after all but the last line. I see some missing commas in the above example.

We have example session policies available here: https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html#session-policy

If you continue having issues after reviewing the example policies I would suggest reaching out to support as we may need to review your specific policies or server logs to see what could be causing any issues.

AWS
Brian C
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content