SFTP 服务器上的 AWS Transfer 权限被拒绝

Question 1

用户角色应该是：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}

用户的信任关系：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

您的用户的主目录应该是 /BUCKET_NAME

Answer

用户角色应该是：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}

用户的信任关系：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

您的用户的主目录应该是 /BUCKET_NAME

Question 2

s3:GetObject在我向策略中添加权限之前，我遇到了这个问题aws_transfer_user。我原以为s3:ListBucket会足够，但事实并非如此。sftp> ls直到我获得 GetObject 后才会失败。

这是它的 Terraform：

resource "aws_transfer_user" "example-ftp-user" {
  count                     = length(var.uploader_users)
  user_name                 = var.uploader_users[count.index].username

  server_id                 = aws_transfer_server.example-transfer.id
  role                      = aws_iam_role.sftp_content_incoming.arn
  home_directory_type       = "LOGICAL"

  home_directory_mappings {
      entry = "/"
      target = "/my-bucket/$${Transfer:UserName}"
    }

    policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AllowSftpUserAccessToS3",
        "Effect": "Allow",
        "Action": [
          "s3:ListBucket",
          "s3:PutObject",
          "s3:GetObject",
          "s3:DeleteObjectVersion",
          "s3:DeleteObject",
          "s3:GetObjectVersion",
          "s3:GetBucketLocation"
        ],
        "Resource": [
          "${aws_s3_bucket.bucket.arn}/${var.uploader_users[count.index].username}",
          "${aws_s3_bucket.bucket.arn}/${var.uploader_users[count.index].username}/*"
        ]
      }
    ]
}
POLICY
}

我在.tfvars文件中定义用户；例如：

uploader_users = [
  {
    username = "firstuser"
    public_key = "ssh-rsa ...."
  },
  {
    username = "seconduser"
    public_key = "ssh-rsa ..."
  },
  {
    username = "thirduser"
    public_key = "ssh-rsa ..."
  }
]

我希望这对某些人有帮助。我花了很多功夫才最终让它工作起来，而且我不能 100% 确定与其他策略的交互最终是否会起作用。但应用这个之后，我就可以连接并列出存储桶内容，而不会收到“权限被拒绝”的提示。

Answer

s3:GetObject在我向策略中添加权限之前，我遇到了这个问题aws_transfer_user。我原以为s3:ListBucket会足够，但事实并非如此。sftp> ls直到我获得 GetObject 后才会失败。

这是它的 Terraform：

resource "aws_transfer_user" "example-ftp-user" {
  count                     = length(var.uploader_users)
  user_name                 = var.uploader_users[count.index].username

  server_id                 = aws_transfer_server.example-transfer.id
  role                      = aws_iam_role.sftp_content_incoming.arn
  home_directory_type       = "LOGICAL"

  home_directory_mappings {
      entry = "/"
      target = "/my-bucket/$${Transfer:UserName}"
    }

    policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AllowSftpUserAccessToS3",
        "Effect": "Allow",
        "Action": [
          "s3:ListBucket",
          "s3:PutObject",
          "s3:GetObject",
          "s3:DeleteObjectVersion",
          "s3:DeleteObject",
          "s3:GetObjectVersion",
          "s3:GetBucketLocation"
        ],
        "Resource": [
          "${aws_s3_bucket.bucket.arn}/${var.uploader_users[count.index].username}",
          "${aws_s3_bucket.bucket.arn}/${var.uploader_users[count.index].username}/*"
        ]
      }
    ]
}
POLICY
}

我在.tfvars文件中定义用户；例如：

uploader_users = [
  {
    username = "firstuser"
    public_key = "ssh-rsa ...."
  },
  {
    username = "seconduser"
    public_key = "ssh-rsa ..."
  },
  {
    username = "thirduser"
    public_key = "ssh-rsa ..."
  }
]

我希望这对某些人有帮助。我花了很多功夫才最终让它工作起来，而且我不能 100% 确定与其他策略的交互最终是否会起作用。但应用这个之后，我就可以连接并列出存储桶内容，而不会收到“权限被拒绝”的提示。

SFTP 服务器上的 AWS Transfer 权限被拒绝

答案1

用户角色应该是：

用户的信任关系：

答案2

相关内容