How do I configure my Transfer Family server to use an Amazon EFS file system that's in another AWS account?

3 分钟阅读
1

I want my AWS Transfer Family server in my account to access an Amazon Elastic File System (Amazon EFS) file system in another AWS account. I also want to set up my Transfer Family server with cross-account access to the Amazon EFS file system.

Resolution

Follow these steps:

  1. Create an AWS Identity and Access Management (IAM) role in account A with access to the file system in account B.
  2. Create a Transfer Family server user that's configured with the IAM role in account A.
  3. Verify that your Transfer Family server user in account A can access the file system in account B.

Note: The AWS Transfer Family console shows only the Amazon EFS file system in the same account. To use your Transfer Family server with a file system in another account, use the AWS Command Line Interface (AWS CLI) or an AWS SDK.

Create an IAM role in account A with access to the file system

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

  1. Create an IAM role for your server users. For the role's IAM policy, use the following:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "RootFileSystemAccess",
          "Effect": "Allow",
          "Action": [
            "elasticfilesystem:ClientRootAccess",
            "elasticfilesystem:ClientMount",
            "elasticfilesystem:ClientWrite"
          ],
          "Resource": "arn:aws:elasticfilesystem:region:accountB-id:file-system/file-system-id"
        }
      ]
    }
  2. Add a policy in the file system for account B that gives permission to the IAM role from account A created in the previous step:

    {
      "Sid": "EFS-TransferFamily",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccounA-id:role/RoleName"
      },
      "Action": [
        "elasticfilesystem:ClientRootAccess",
        "elasticfilesystem:ClientWrite",
        "elasticfilesystem:ClientMount"
      ],
      "Resource": "arn:aws:elasticfilesystem:region:accountB-id:file-system/file-system-id"
    }

Create a Transfer Family server user with the IAM role in account A

Use the following AWS CLI command create-user to create a Transfer Family user:

$ aws transfer create-user --user-name "sftp" --server-id "SERVER-ID"
 --role "arn:aws:iam::accountA-id:role/RoleName" --home-directory "/file-system-id/username"

The command returns the server ID and the user that you created similar to the following:

{
  "ServerId":  "MY_SERVER_ID",
  "UserName":  "MY_SERVER_USER_NAME"
}

Verify that your Transfer Family server user in account A can access the bucket in account B

  1. Connect to your server as the user that you created. For example, this OpenSSH command connects to an SFTP server:

    $ sftp -i myserveruser MY_SERVER_USER_NAME@MY_SERVER_ID.server.transfer.us-east-1.amazonaws.com
  2. List the home directory of the bucket. If you use OpenSSH, then run this command:

    $ ls

If the command returns the home directory, then your server user has cross-account access to the Amazon EFS file system.

Related information

Create an SFTP-enabled server

Creating file system policies

How do I configure my AWS Transfer Family server to use an Amazon S3 bucket that's in another AWS account?

Configuring cross-account access for Transfer Family

AWS 官方
AWS 官方已更新 4 个月前
2评论

Change the line "Verify that your Transfer Family server user in account A can access the bucket in account B" to "Verify that your Transfer Family server user in account A can access the file system in account B"

AWS
已回复 3 个月前

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
审核人员
已回复 3 个月前