Access denied using Transfer Family with Lambda Identity Provider

0

Hi all, I need to create my SFTP service using AWS Transfer Family and Lambda as Identity Provider and S3 as Storage.

I created my Lambda function and authentication works but I can't show list of files.

My Node.js lambda is:

exports.handler = async (event) => {
    return {
        "Role":"arn:aws:iam::356173882118:role/sftp-access-s3"
    }
};

Identity provider testing response is:

{
    "Response": "{\"HomeDirectoryType\":\"PATH\",\"Role\":\"arn:aws:iam::356173882118:role/sftp-access-s3\",\"UserName\":\"dasdasd\",\"IdentityProviderType\":\"AWS_LAMBDA\"}",
    "StatusCode": 200,
    "Message": ""
}

My role sftp-access-s3 has a policy and a trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::tecnoin-ftp-bucket"
            ],
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::tecnoin-ftp-bucket/*"
            ],
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "transfer.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I can connect successfully with my ftp client but then i can't see the files. I receive this error:

Permission denied.
Error code: 3
Error message from server (US-ASCII): Access denied

On cloud Watch:

luca.1e5bad7f45e09f0b CONNECTED SourceIP=165.225.202.99 User=luca HomeDir=/ Client=SSH-2.0-WinSCP_release_5.17.10 Role=arn:aws:iam::356173882118:role/sftp-access-s3 UserPolicy="{\"Version\": \"2012-10-17\",\"Statement\": [  {\"Action\": [  \"s3:ListBucket\",  \"s3:GetBucketLocation\"],\"Resource\": [  \"arn:aws:s3:::tecnoin-ftp-bucket\"],\"Effect\": \"Allow\",\"Sid\": \"ReadWriteS3\"  },  {\"Action\": [  \"s3:PutObject\",  \"s3:GetObject\",  \"s3:DeleteObject\",  \"s3:DeleteObjectVersion\",  \"s3:GetObjectVersion\",  \"s3:GetObjectACL\",  \"s3:PutObjectACL\"],\"Resource\": [  \"arn:aws:s3:::tecnoin-ftp-bucket/*\"],\"Effect\": \"Allow\",\"Sid\": \"\"  }]}" Kex=ecdh-sha2-nistp256 Ciphers=aes256-ctr,aes256-ctr

luca.1e5bad7f45e09f0b ERROR Message="Access denied"

Could you please support me to solve the issue?

Thanks

luk3tt0
asked 2 months ago33 views
1 Answer
0

Hello luk3tt0@,

Looking at the Test-IdentityProvider output, I don't see the HomeDirectory Field present. This would imply HomeDirectory as /. Further, the log snippet from CloudWatch also mentions the same: User=luca HomeDir=/.

When HomeDirectory is /, User lands in root of S3 where an ls operation lists all the buckets in their account. Since the permissions that you shared don't include s3:ListAllMyBuckets permission for Resource: * the operation returns Access Denied correctly. To resolve this:

  • Either update the User configuration to include the HomeDirectory Field to which you have granted permissions.
  • Or if you want to be able to list all buckets you have in your account, update the IAM Role permissions to have s3:ListAllMyBuckets for Resource: *.

Let me know if you have any other questions.

-- Sagar.

EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions