By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS File Transfer Family Server and IAM role setup

0

Hi All,

We have setup AWS file transfer server with AWS directory service (connected to Microsoft AD) authentication. As per use case, once user login to sftp, user should be able to see two directory within their own folder. {username}/folder1 {username}/folder2

I have setup below Access policy and IAM policy (attached to S3)

create-access CLI:

aws transfer create-access \
    --home-directory-type LOGICAL \
    --home-directory-mappings '[{"Entry":"/folder1","Target":"/bucket_name/${transfer:UserName}/folder1" },{ "Entry": "/folder2", "Target":"/bucket_name/${transfer:UserName}/folder2"}]' \
    --role arn:aws:iam::account_id:role/iam_role \
    --server-id s-1234567876454ert \
    --external-id S-1-2-34-56789123-12345678-1234567898-1234

access policy was created successfully.

Below IAM role is attached to S3 bucket and file-transfer server.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name"
            ],
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name/${transfer:UserName}/*"
            ],
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}

When user login to sftp, they do not see folder1 & folder2 in their own directory. Can anyone help if anything missing in IAM policy?

Thank You

Topics
Security, Identity, & ComplianceMigration & ModernizationStorage
Tags
AWS Identity and Access ManagementAWS Transfer for SFTPAWS Transfer FamilyIAM PoliciesS3 Select
Language
English
profile picture
User-07051983
asked 2 years ago508 views
3 Answers
0

Does the IAM role have permissions to folder1 and folder2 locally?

jschwar313
answered 2 years ago
  • User-07051983
    2 years ago

    Hi @jschwar313

    Thanks for reply. Yes, IAM role has permission to all folders within user directory. "arn:aws:s3:::bucket_name/${transfer:UserName}/*"

    When user logged in, they land into their own directory (based on username) but "folder1" and "folder2" directory are missing. I checked directly into S3 bucket as well with admin access, dont see directory auto created under username folder. However folder based on username is created automatically under S3.

0

Hello,

Thank you for your response. I understand that the SFTP user is unable to see "folder1" and "folder2" when connected.

Please note that these folders need to be first created in S3; these sub-folders are not automatically created on your behalf.

I tested a setup at my end to validate this configuration. If these folders are not pre-created in S3, then the SFTP user will not be able to see them when connected via SFTP.

Requesting you to create - "folder1" and "folder2" under "${transfer:UserName}" prefix in the S3 bucket and then try to reconnect from SFTP.

Thank you.

AWS
SUPPORT ENGINEER
Samreen_T
answered a year ago
0

I tried to create folder under "${transfer:UserName}" prefix but it does not allow. I am sure, I am doing something wrong. We have 3000 users and each user will land in their own directory only and should see "folder1" and "folder2" thats the use case.

Error

profile picture
User-07051983
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content