I was trying to setup Custom Identity Provider (lambda) for the AWS transfer family. I was able to setup successfully with both Username/Password and SSH authentication. But while trying I was using two different roles with policies attached giving permission only for the users specific folders. I am wondering is there a way where I can dynamically create the policies based of the users and their HomeDirectory, instead of roles for each users.
Eg: For the Server managed users we do have policy like below, the same policy can be attached to all the users and it evaluates dynamically.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
} ```
Is there an way to achieve the same as above for the custom Identity provider with lambda and Secrets manager?
