amazon-web-servicesamazon-s3sftpaws-transfer-family

Unable to invoke Lambda function


I have created an AWS transfer family SFTP server which is using a lambda function for authentication. When I try to login into the SFTP. I am getting the following error:

    "method": "password",
    "activity-type": "AUTH_FAILURE",
    "source-ip": "172.105.39.41",
    "resource-arn": "arn:aws:transfer:us-east-2:123456789012:server/s-123456",
    "message": "Unable to invoke Lambda function: arn:aws:lambda:us-east-2: 123456789012:function:SFTP-Lambda",
    "user": "user"

The lambda has the following Invoke permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-2:123456789012:function:SFTP-Lambda",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:transfer:us-east-2:123456789012:server/s-123456"
      
    }
      }
      }
  ]
}

Can someone please what needs to be added here so that I can use the lambda for authentication.?

I am trying to follow the following documentation, but looks like the IAM permissions provided is not working as expected: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html


Solution

  • You need to grant AWS Transfer Family the necessary permissions to invoke your Lambda function.

    To do this, run:

    aws lambda add-permission \
    --function-name SFTP-Lambda --action lambda:InvokeFunction \
    --statement-id transfer --principal transfer.amazonaws.com \
    --output text