I am getting below error message on assigning a session policy to user in AWS-Transfer family from AWS management console
Failed to edit user details (${transfer:Home*} variable used in policy for a user with a logical home directory)
Failed to edit user details (${transfer:Home*} variable used in policy for a user with a logical home directory)
1.2k Views Asked by Ajay At
2
There are 2 best solutions below
0
On
Creating a session policy for an Amazon S3 bucket
A session policy is an AWS Identity and Access Management (IAM) policy that restricts users to certain portions of an Amazon S3 bucket. It does so by evaluating access in real time.
Note:
You can use a session policy when you need to give the same access to a group of users to a particular portion of your Amazon S3 bucket. For example, a group of users might need access to only the home directory. That group of users share the same IAM role.
To create a session policy, use the following policy variables in your IAM policy:
${transfer:HomeBucket}
${transfer:HomeFolder}
${transfer:HomeDirectory}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}Create SFTP user programmatically
import json
import boto3
user_session_policy_arn = 'arn:aws:iam::<account-no>:policy/<policy-name>'
def lambda_handler(event, context):
transfer_client = boto3.client('transfer')
iam_client = boto3.client('iam')
response = iam_client.get_policy_version(
PolicyArn=user_session_policy_arn,
VersionId='v2'
)
policy_document = response['PolicyVersion']['Document']
response = transfer_client.create_user(
ServerId='AWS_TRANSFER_SERVER_ID',
UserName='myusername',
HomeDirectoryType='PATH',
HomeDirectory=f"/{user_bucket_name}',
Role='arn:aws:iam::<account_no>:role/<role_name>',
Policy=json.dumps(policy_document),
SshPublicKeyBody='<USER_PUBLIC_KEY>'
)IAM role required for above code to execute on lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "lambdaPermissionTOCreateTransferUser",
"Effect": "Allow",
"Action": [
"transfer:CreateUser",
"transfer:DeleteUser"
],
"Resource": [
"arn:aws:transfer:${Region}:${Account}:server/${ServerId}"
]
},
{
"Sid": "GetPolicyVersion",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion"
],
"Resource": [
"arn:aws:iam::${Account}:policy/${Policy_name}" #above session policy created for user
]
},
{
"Sid": "AssigneRoleToServerUser",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::${Account}:role/${Role_name}"
]
}
]
}The Transfer Family server resource has the following ARN. (Source Link)
arn:aws:transfer:${Region}:${Account}:server/${ServerId}
I was having this problem and I found a few problems with my setup.
https://aws.amazon.com/blogs/aws/new-aws-transfer-for-sftp-fully-managed-sftp-service-for-amazon-s3/
}
"you generally do not need both session policies and logical directories... having both can cause permission denied errors."
I took that to mean that you do NOT want both a session policy added to the SFTP User and the restricted check box. I tested both the restricted checkbox with no policy and the Auto-generated policy in the user SFTP page. They both locked down the bucket.
The restricted checkbox has the advantage of not showing the bucket name.
Hope this helps someone else!