I am getting below error message on assigning a session policy to user in AWS-Transfer family from AWS management console
Failed to edit user details (${transfer:Home*} variable used in policy for a user with a logical home directory)
Asked
Active
Viewed 218 times
0
Ajay
- 176
- 6
1 Answers
0
Creating a session policy for an Amazon S3 bucket
A session policy is an AWS Identity and Access Management (IAM) policy that restricts users to certain portions of an Amazon S3 bucket. It does so by evaluating access in real time.
Note:
You can use a session policy when you need to give the same access to a group of users to a particular portion of your Amazon S3 bucket. For example, a group of users might need access to only the home directory. That group of users share the same IAM role.
To create a session policy, use the following policy variables in your IAM policy:
${transfer:HomeBucket}
${transfer:HomeFolder}
${transfer:HomeDirectory}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}Create SFTP user programmatically
import json
import boto3
user_session_policy_arn = 'arn:aws:iam::<account-no>:policy/<policy-name>'
def lambda_handler(event, context):
transfer_client = boto3.client('transfer')
iam_client = boto3.client('iam')
response = iam_client.get_policy_version(
PolicyArn=user_session_policy_arn,
VersionId='v2'
)
policy_document = response['PolicyVersion']['Document']
response = transfer_client.create_user(
ServerId='AWS_TRANSFER_SERVER_ID',
UserName='myusername',
HomeDirectoryType='PATH',
HomeDirectory=f"/{user_bucket_name}',
Role='arn:aws:iam::<account_no>:role/<role_name>',
Policy=json.dumps(policy_document),
SshPublicKeyBody='<USER_PUBLIC_KEY>'
)IAM role required for above code to execute on lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "lambdaPermissionTOCreateTransferUser",
"Effect": "Allow",
"Action": [
"transfer:CreateUser",
"transfer:DeleteUser"
],
"Resource": [
"arn:aws:transfer:${Region}:${Account}:server/${ServerId}"
]
},
{
"Sid": "GetPolicyVersion",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion"
],
"Resource": [
"arn:aws:iam::${Account}:policy/${Policy_name}" #above session policy created for user
]
},
{
"Sid": "AssigneRoleToServerUser",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::${Account}:role/${Role_name}"
]
}
]
}The Transfer Family server resource has the following ARN. (Source Link)
arn:aws:transfer:${Region}:${Account}:server/${ServerId}
Ajay
- 176
- 6