AWS Lambda is nerver called for authenticaion in AWS Transfer Family

Question

I'm trying to set-up AWS transfer family with a AWS lambda function as a custom identity provider. Unfortunately the lambda is nerver called. Every time I call identity provicer testing I get:

{
    "Response": "{}",
    "StatusCode": 403,
    "Message": "Lambda function configuration error: AccessDeniedException"
}

These are the permission policies which are defined for the role of the lambda

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "lambda:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:eu-central-1:log.group.number:*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:eu-central-1:087690012243:log-group:/aws/lambda/name-of-my-lambda:*"
        }
    ]
}

But I'm not sure this is really relevant. It feals like the transfer familiy server is lacking the right to call the lambda. But I cannot find any setting to add a role or policy to the transfer familiy server itself.

Any ideas what's missing?

Answer 1

The lambda also needs a resource-based policy which gives the aws transfer family server the right to call it. This can be configures at the very bottom of the lambda configuration gui in the "Configuration" tab.

The following values have to be entered:

Statement ID
statement01
Principal
transfer.amazonaws.com
Effect
Allow
Action
lambda:InvokeFunction
Conditions
{
 "ArnLike": {
  "AWS:SourceArn": "arn:aws:transfer:eu-central-1:your-account-number:server/your-aws-transfer-family-server-id"
 }
}