I have setup a AWS SFTP server with custom api gateway identity provider. The user is created as SFTP/username in secrets manager with following key, value pairs -
Password: <passwordvalue>
Role: <roleARN> // roleARN policy is as follows
HomeDirectory: /<s3bucketname>/<username>
The roleARN's policy is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketContents",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListBucketVersions",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<s3bucketname>"
},
{
"Sid": "AllUserReadAccessInUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/*"
]
},
{
"Sid": "AllUserFullAccessForToFolders",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/*"
]
},
{
"Sid": "AllUserReadAccessForFromFolders",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/From/*"
]
},
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/",
"arn:aws:s3:::<s3bucketname>/<username>/From/"
]
}
]
}
With the current policy I have correct permissions for a specific user and the permissions/access is working as expected, but the problem is the hardcoded user in the policy.
I now have to create one more user for SFTP in secrets manager and was expecting to use the same IAM role what I have used for first user. I found that this can be achieved using session policies (https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html) that I can use same role/policy for multiple sftp users in secrets manager. But I am having hard time getting it to work.
When I am replacing in the policy - the s3bucketname with ${transfer:HomeBucket} and related values as mentioned in the session policies link above - I was expecting it to work, but I kept running into access denied issues when trying to list the s3 bucket contents via SFTP client.
Can someone help me understand what am I missing here, any help greatly appreciated.
Got to know that I need to use HomeDirectoryDetails
instead of HomeDirectory
the logical directory - https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/
Thanks.