By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Logical Directories not working with multiple users

0

Good day

I've implemented the custom IDP using the template (aws-transfer-custom-idp-secrets-manager-apig.template.yml) provided.
I've created a user in secrets manager and attached the role containing the below policy in which I explicitly specify the users username as directory, indicated as "user1" for demonstration purposes. I am then able to successfully authenticate via SSH or Username/Password methods. I then created a new role/policy for a new user and specify the new user directory as "user2" in the policy. The problem is with the new user it authenticates fine however upon login it generates an "access denied" error and does not seem to place the user in the logical directory specified in secrets manager. This error persists with each new user I've attempted to create using the same details as the initial user1.Please assist, I've attached the user format as inserted to Secrets Manager as well as the policy below for your perusal. Thanks

Secrets Manager User PLAINTEXT stored as "SFTP/user2" :
{
"Password": "password",
"Role": "arn:aws:iam::111111111111:role/rolename",
"PublicKey": "ssh-rsa AAAA",
"HomeDirectoryType": "LOGICAL",
"HomeDirectoryDetails": "[{"Entry": "/", "Target": "/bucketname/user2"}]"
}

POLICY :

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::bucketname/user2/in/",
"arn:aws:s3:::bucketname/user2/out/"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucketname/user2/"
}
]
}

Note, this policy works for our use case in that it allows a user to GET/PUT to the in/out folders however denies them from PUT at their logical root. The s3 structure is as follows: bucketname/user2/folders and again it works with the first user created as user1.

Thanks

Topics
Migration & Modernization
Tags
AWS Transfer Family
Language
English
zayneR
asked 3 years ago248 views
2 Answers
0

Hello zayneR,

Could you please send me a private message with the server id, region and the usernames (of the user which is working and one of the users who has an issue)?

Regards,
Panagioitis

AWS-User-0349305
answered 3 years ago
0

For those wondering, the DENY statement in my policy was not necessary and needed to be replaced by the ALLOW statement below:

{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucketname/user1/"
}

Thanks to PanagiotisI-AWS

zayneR
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content