连接到 AWS Transfer for SFTP [英] Connecting to AWS Transfer for SFTP

问题描述

我无法连接到

以下是我们使用的两项政策:
附加到 IAM 角色的一般政策

<代码>{"版本": "2012-10-17",陈述": [{"Sid": "AllowListingOfUserFolder",行动": ["s3:ListBucket","s3:GetBucketLocation"],"Effect": "允许",资源":[arn:aws:s3:::my-s3-bucket"]},{"Sid": "HomeDirObjectAccess","Effect": "允许",行动": ["s3:PutObject","s3:GetObject","s3:DeleteObjectVersion","s3:删除对象",s3:GetObjectVersion"],"资源": "arn:aws:s3::: my-s3-bucket/*"}]}

适用于转移用户的范围缩小政策

<代码>{"版本": "2012-10-17",陈述": [{"Sid": "AllowListingOfUserFolder",行动": ["s3:ListBucket"],"Effect": "允许",资源":[arn:aws:s3:::${transfer:HomeBucket}"],健康)状况": {字符串":{s3:前缀":["${transfer:UserName}/*",${transfer:UserName}"]}}},{"Sid": "AWSTransferRequirements","Effect": "允许",行动": ["s3:ListAllMyBuckets","s3:GetBucketLocation"],资源":*"},{"Sid": "HomeDirObjectAccess","Effect": "允许",行动": ["s3:PutObject","s3:GetObject","s3:DeleteObjectVersion","s3:删除对象",s3:GetObjectVersion"],"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"}]}

I am having trouble connecting to AWS Transfer for SFTP. I successfully set up a server and tried to connect using WinSCP.

I set up an IAM role with trust relationships like follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I paired this with a scope down policy as described in the documentation using a home directory homebucket and home directory homedir

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListHomeDir",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}"
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}

I was able to authenticate using an ssh key, but when it came to actually reading/writing files I just kept getting opaque errors like "Error looking up homedir" and failed "readdir". This all smells very much like problems with my IAM policy but I haven't been able to figure it out.

解决方案

We had similar issues getting the scope down policy to work with our users on AWS Transfer. The solution that worked for us, was creating two different kinds of policies.

• Policy to attach to the role which has general rights on the whole bucket.
• Scope down policy to apply to the user which makes use of the transfer service variables like {transfer:UserName}.

We concluded that maybe only the extra attached policy is able to resolve the transfer service variables. We are not sure if this is correct and if this is the best solution, because this opens the possible risk when forgiving to attach the scope down policy to create a kind of "admin" user. So I'd be glad to get input to further lock this down a little bit.

Here is how it looks in my console when looking at the transfer user details:

Here are our two policies we use:
General policy to attach to IAM role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-s3-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3::: my-s3-bucket/*"
        }
    ]
}

Scope down policy to apply to transfer user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:UserName}/*",
                        "${transfer:UserName}"
                    ]
                }
            }
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}

这篇关于连接到 AWS Transfer for SFTP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！