CODEWITHSUNDEEP
amazon-web-servicessessionrolesidentity-managementaws-transfer-family
Ajay
Ajay

Reputation: 197

Failed to edit user details (${transfer:Home*} variable used in policy for a user with a logical home directory)

I am getting below error message on assigning a session policy to user in AWS-Transfer family from AWS management console

Failed to edit user details (${transfer:Home*} variable used in policy for a user with a logical home directory)

enter image description here

Upvotes: 1

Views: 2694

Answers (2)

Hello Dave
Hello Dave

Reputation: 279

I was having this problem and I found a few problems with my setup.

  1. My S3 bucket permissions where not correct. I ended up setting my policy to match the policy mentioned in this blog post as a start:

https://aws.amazon.com/blogs/aws/new-aws-transfer-for-sftp-fully-managed-sftp-service-for-amazon-s3/

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::data-transfer-inbound"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::data-transfer-inbound/jeff/*"
        }
    ]
}
  1. Once complete I read the following:

"you generally do not need both session policies and logical directories... having both can cause permission denied errors."

I took that to mean that you do NOT want both a session policy added to the SFTP User and the restricted check box. I tested both the restricted checkbox with no policy and the Auto-generated policy in the user SFTP page. They both locked down the bucket.

The restricted checkbox has the advantage of not showing the bucket name.

Hope this helps someone else!

Upvotes: 4

Ajay
Ajay

Reputation: 197

Creating a session policy for an Amazon S3 bucket

A session policy is an AWS Identity and Access Management (IAM) policy that restricts users to certain portions of an Amazon S3 bucket. It does so by evaluating access in real time.

Note:

You can use a session policy when you need to give the same access to a group of users to a particular portion of your Amazon S3 bucket. For example, a group of users might need access to only the home directory. That group of users share the same IAM role.

To create a session policy, use the following policy variables in your IAM policy:

${transfer:HomeBucket}

${transfer:HomeFolder}

${transfer:HomeDirectory}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::${transfer:HomeBucket}"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "${transfer:HomeFolder}/*",
            "${transfer:HomeFolder}"
          ]
        }
      }
    },
    {
      "Sid": "HomeDirObjectAccess",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
    }
  ]
}

Create SFTP user programmatically

import json
import boto3

user_session_policy_arn = 'arn:aws:iam::<account-no>:policy/<policy-name>'

def lambda_handler(event, context):
    transfer_client = boto3.client('transfer')
    iam_client = boto3.client('iam')

    response = iam_client.get_policy_version(
        PolicyArn=user_session_policy_arn,
        VersionId='v2'
    )
    
    policy_document = response['PolicyVersion']['Document']
    
    response = transfer_client.create_user(
        ServerId='AWS_TRANSFER_SERVER_ID',
        UserName='myusername',
        HomeDirectoryType='PATH',
        HomeDirectory=f"/{user_bucket_name}',
        Role='arn:aws:iam::<account_no>:role/<role_name>',
        Policy=json.dumps(policy_document),
        SshPublicKeyBody='<USER_PUBLIC_KEY>'
    )

IAM role required for above code to execute on lambda

{
    "Version": "2012-10-17",
    "Statement": [
      {
            "Sid": "lambdaPermissionTOCreateTransferUser",
            "Effect": "Allow",
            "Action": [
                "transfer:CreateUser",
                "transfer:DeleteUser"
            ],
            "Resource": [
                "arn:aws:transfer:${Region}:${Account}:server/${ServerId}"
            ]
        },
        {
            "Sid": "GetPolicyVersion",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::${Account}:policy/${Policy_name}" #above session policy created for user
            ]
        },
        {
            "Sid": "AssigneRoleToServerUser",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::${Account}:role/${Role_name}"
            ]
        }
        
    ]
}

The Transfer Family server resource has the following ARN. (Source Link)

arn:aws:transfer:${Region}:${Account}:server/${ServerId}

enter image description here

Upvotes: 0

Related Questions