I'm adjusting a qas bucket that is accessed by the AWS TRANSFER FAMILY SFTP service from another account (production account), I need to add this qas backup as home of a new user, but for my user the destination bucket (which is in the qas account), does not appear in the selection.
in the destination account, where the bucket is, I have this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketPolicyForSFTP",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::**PRODUCTION-ACCOUNT-ID**:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname-qas",
"arn:aws:s3:::bucketname-qas/*"
],
"Condition": {
"StringLike": {
"aws:userId": "AROA... **THIS IS A FUNCTION ID**?:*"
}
}
}
I tried to login with my user via console and run in cli: aws sts get-caller-identity --output json
"UserId": "AROA...ID:myuser@mymail", "Account": "PRODUCTION-ACCOUNT-ID", "Arn": "arn:aws:sts::PRODUCTION´´ACCOUNTID:assumed-role/AWSReservedSSO_AWSAdministratorAccess_idxxx/myuser@mymail"
I already tried to put this user ID in the permission, as well as my arn in the policy, but when logging in with my federated user in the PRD account, I still can't see the bucket that is in the QAS account when looking for the buckets in the family SFTP transfer configuration
Is it possible to do this with a federated user?
Thank you very much!