使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

How to allow access to EFS from SFTP using lambda as Identity Provider?

0

'm trying to build an SFTP server for an EFS that uses a lambda function to check username and password provided against a Secret in AWS.

I followed this article but changed it a bit, I'm not using an API Gateway, I use the lambda function directly as identity provider which fetches the following data from secret Manager :

 "Role" : "arn:aws:iam::xxxxxxxxxxx:role/my-transfer-role",
"PosixProfile": {
    "Uid": 1001,
    "Gid": 1001,
    "SecondaryGids": []
 },
 "HomeDirectory": "/"

so far I can only connect to the SFTP server, but can't read or write what's on the EFS Message="Unable to list directory: permission denied for /"

I created a role and a policy attached to Transfer with permissions on my EFS as explained in this guide

Is there something I'm missing in this configuration please? Thanks

  • Nitesh D
    3 個月前

    Hello Hicham, Sagar,

    Could you please attach the Lambda code and secret manager POSIX format that you are using? I am trying to deploy the same configuration but it always returns the error 'Missing POSIX profile' even though secrets manager has a PosixProfile.

    Regards, Nitesh D

主題
儲存空間無伺服器運算遷移與現代化安全性、身分識別與合規
標籤
Amazon Elastic File SystemAWS LambdaAWS Transfer FamilyIAM 政策
語言
English
HichamZouarhi
已提問 1 年前檢視次數 761 次
1 個回答
0
已接受的答案

HichamZouarhi@,

Considering you are able to connect to the server and authenticate, the overall Lambda IDP configuration seems to be working. In regards to your error, I believe you need to provide the EFS id within the HomeDirectory to be able to access. Right now with HomeDirectory: / , it assumes root of EFS and probably attempts to list available EFS resources. Unless you have permissions for the same, the error would be expected behavior.

Could you update the HomeDirectory to the EFS resource that you are trying to access? Example: HomeDirectory: /fs-000000/user. Further, you need to ensure that the folder you are trying to access is accessible using the POSIX configuration you specified: (1001, 1001) in your case.

References:

Let me know if you have follow up questions.

-- Sagar

AWS
專家
sagarb-aws
已回答 1 年前
  • HichamZouarhi
    1 年前

    Thanks Sagar, I thought at first that my SFTP would be linked directly to the efs for which I gave permission on the policy. by adding the file system id to HomeDirectory it worked. Have a nice day :)

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容