我已经设置了一个带有自定义api网关标识提供程序的AWS SFTP服务器。用户在机密管理器中创建为SFTP/用户名,具有以下密钥、值对-
Password: <passwordvalue>
Role: <roleARN> // roleARN policy is as follows
HomeDirectory: /<s3bucketname>/<username>
角色ARN的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketContents",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListBucketVersions",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<s3bucketname>"
},
{
"Sid": "AllUserReadAccessInUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/*"
]
},
{
"Sid": "AllUserFullAccessForToFolders",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/*"
]
},
{
"Sid": "AllUserReadAccessForFromFolders",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/From/*"
]
},
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/",
"arn:aws:s3:::<s3bucketname>/<username>/From/"
]
}
]
}
使用当前策略,我对特定用户拥有正确的权限,权限/访问权限按预期工作,但问题是策略中的硬编码用户。
我现在必须在机密管理器中为SFTP再创建一个用户,并希望使用与第一个用户相同的IAM角色。我发现这可以使用会话策略来实现(https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html)我可以在机密管理器中为多个sftp用户使用相同的角色/策略。但我很难让它发挥作用。
当我在策略中用${transfer:HomeBucket}替换s3bucketname时以及上面会话策略链接中提到的相关值-我本来希望它能工作,但在尝试通过SFTP客户端列出s3存储桶内容时,我一直遇到拒绝访问的问题。
有人能帮我理解我在这里错过了什么吗?非常感谢任何帮助。
知道我需要使用HomeDirectoryDetails而不是HomeDirectory逻辑目录-https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/
谢谢。