AWS File Transfer Family Server and IAM role setup

0

Hi All,

We have setup AWS file transfer server with AWS directory service (connected to Microsoft AD) authentication. As per use case, once user login to sftp, user should be able to see two directory within their own folder. {username}/folder1 {username}/folder2

I have setup below Access policy and IAM policy (attached to S3)

create-access CLI:

aws transfer create-access \
    --home-directory-type LOGICAL \
    --home-directory-mappings '[{"Entry":"/folder1","Target":"/bucket_name/${transfer:UserName}/folder1" },{ "Entry": "/folder2", "Target":"/bucket_name/${transfer:UserName}/folder2"}]' \
    --role arn:aws:iam::account_id:role/iam_role \
    --server-id s-1234567876454ert \
    --external-id S-1-2-34-56789123-12345678-1234567898-1234

access policy was created successfully.

Below IAM role is attached to S3 bucket and file-transfer server.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name"
            ],
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name/${transfer:UserName}/*"
            ],
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}

When user login to sftp, they do not see folder1 & folder2 in their own directory. Can anyone help if anything missing in IAM policy?

Thank You

3 Answers
0

Does the IAM role have permissions to folder1 and folder2 locally?

answered a month ago
  • Hi @jschwar313

    Thanks for reply. Yes, IAM role has permission to all folders within user directory. "arn:aws:s3:::bucket_name/${transfer:UserName}/*"

    When user logged in, they land into their own directory (based on username) but "folder1" and "folder2" directory are missing. I checked directly into S3 bucket as well with admin access, dont see directory auto created under username folder. However folder based on username is created automatically under S3.

0

Hello,

Thank you for your response. I understand that the SFTP user is unable to see "folder1" and "folder2" when connected.

Please note that these folders need to be first created in S3; these sub-folders are not automatically created on your behalf.

I tested a setup at my end to validate this configuration. If these folders are not pre-created in S3, then the SFTP user will not be able to see them when connected via SFTP.

Requesting you to create - "folder1" and "folder2" under "${transfer:UserName}" prefix in the S3 bucket and then try to reconnect from SFTP.

Thank you.

SUPPORT ENGINEER
answered a month ago
0

I tried to create folder under "${transfer:UserName}" prefix but it does not allow. I am sure, I am doing something wrong. We have 3000 users and each user will land in their own directory only and should see "folder1" and "folder2" thats the use case.

Error

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions