AWS Transfer Family Posix Users


We have an AWS Transfer Family fronting EFS and managing users through the application. This instance is internal and is single-homed -- our users access it internally from a single address. Because all of the users are internal, we allow them to navigate the file system and to use symbolic links. We manage the instance from an EC2 instance that mounts the EFS volume with root privileges.

In order to better manage users -- e.g. assign and manage numeric UIDs and GIDs -- we would like to export our user list to /etc/group and /etc/passwd-style lists. We would then be able to assign User and Group ownerships, and secondary Groups, on the management server. All UID and GID assignments are local to the Transfer Family instance -- they do not use IAM roles at all. Managing primary and secondary groups and ensuring unique UIDs would settle the requests for 777 permissions on home directories.

已提问 1 年前499 查看次数
1 回答

You did not specify here what type of identity provider you are using in this server but from the context I am assuming you are using the SFTP Service Managed users option.

I can think of a few steps that could extract the current user collection and provide it as a csv style collection of the format username:UID:GID which is as much information we can find in the service today. We do have access to GID as to what group name this would map into and as such one would need some other data collection to resolve GID to group name associations. With this type of information you can probably start building a set of command line tools that would generate a result that would come close to a usable /etc/passwd and /etc/group file database.

To start with we need a step to extract the username:UID:GID information from all users in the service using their PosixProfile definition.

aws transfer list-users --server-id s-XXXXXXXXXXX --query 'Users[].UserName' --output text

Then you need to iterate over the resulting list to query each one and produce a CSV output of the form "username",uid,gid,"sec_gid1,sec_gid2"

The following can provide the information using the jq command line JSON parser.

aws transfer  describe-user --server-id "s-XXXXXXXXXXX" --user-name username --query 'User' --output json | jq -r '[ .UserName, .PosixProfile.Uid, .PosixProfile.Gid, "" + (.PosixProfile.SecondaryGids | @csv) + "" ] | @csv'

I can see this type of script making an initial attempt at extracting the information in a csv but the rest is up to you to implement such that you can massage this into a useful passwd/group file format for your use.



users=$(aws transfer list-users --server-id $serverId --query 'Users[].UserName' --output text)

for user in $users
   aws transfer  describe-user --server-id $serverId --user-name $user --query 'User' --output json | jq -r '[ .UserName, .PosixProfile.Uid, .PosixProfile.Gid, "" + (.PosixProfile.SecondaryGids | @csv) + "" ] | @csv'

The output looks like this and can be redirected to a file if needed to use as CSV data for further processing.


I hope this gives you a way to make your application and user management.


已回答 1 年前
  • Thanks! You assumed correctly -- this instance is using the SFTP Managed Users option. All UID and GID values, as well as usernames and group names are local to the context of the AWS-TF instance. Your suggestion looks like it could be a solution. We'll work through this a bit and post the result.

您未登录。 登录 发布回答。