- Newest
- Most votes
- Most comments
Hello wmegel@,
Thank you for sharing all the details. Since you observed Authentication Succeeded, it implies that connection to the server was established and there shouldn't be any issues in terms of intermediate network. Concerning the error, I suspect it has something to do with the Trust relationship of the associated IAM Roles. Could you make changes as follows and test the behavior -
For the Logging Role -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-id>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:transfer:<region>:<account-id>:server/*"
}
}
}
]
}
For the User Role -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-id>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:transfer:<region>:<account-id>:user/<server-id>/*"
}
}
}
]
}
Rest of the setup that you specified seems accurate to me. Could you make the above changes and test again to confirm if you can access S3 as desired?
In regards to your question on logging, CloudTrail shows Management level API calls such as CreateServer, CreateUser. For data level calls to your server, CloudWatch log group for your server should show details. Probably, the logs didn't populate due to issues in Trust relationship for the logging role. Once you make the above changes, you should see logs being populated in CloudWatch log group for your server.
I look forward to your update.
Reference: https://docs.aws.amazon.com/transfer/latest/userguide/confused-deputy.html
Thanks, Sagar
Relevant content
- asked 6 months ago
- asked a month ago
- asked 5 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago