permission denied on AWS Transfer on SFTP server

I can log into my server with cyberduck or filezilla but cannot read my homedirectory. s3 bucket "mybucket" exists. In cyber duck I see

"Cannot readdir on root. Please contact your web hosting service provider for assistance." and in Filezilla "Error: Reading directory .: permission denied"

even though I can connect to server.

Am I missing some user permission in the policies below ?

These are my permissions

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MYBUCKET" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::MYBUCKET/*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "transfer:*", "Resource": "*" } ]
}

These are my trust relationships:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ]
}
2

2 Answers

User Role should be:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::BUCKET_NAME" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::BUCKET_NAME/*" } ]
}

Trust relationship of User:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ]
}

Home directory for your user should be /BUCKET_NAME

9

I had issues with this until I added, specifically, the s3:GetObject permission to the aws_transfer_user policy. I expected s3:ListBucket to be enough, but it was not. sftp> ls would fail until I had GetObject.

Here's the Terraform for it:

resource "aws_transfer_user" "example-ftp-user" { count = length(var.uploader_users) user_name = var.uploader_users[count.index].username server_id = aws_transfer_server.example-transfer.id role = aws_iam_role.sftp_content_incoming.arn home_directory_type = "LOGICAL" home_directory_mappings { entry = "/" target = "/my-bucket/$${Transfer:UserName}" } policy = <<POLICY
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSftpUserAccessToS3", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "${aws_s3_bucket.bucket.arn}/${var.uploader_users[count.index].username}", "${aws_s3_bucket.bucket.arn}/${var.uploader_users[count.index].username}/*" ] } ]
}
POLICY
}

And I define users in a .tfvars file; e.g.:

uploader_users = [ { username = "firstuser" public_key = "ssh-rsa ...." }, { username = "seconduser" public_key = "ssh-rsa ..." }, { username = "thirduser" public_key = "ssh-rsa ..." }
]

I hope this helps someone. It took me a lot of tinkering before I finally got this working, and I'm not 100% sure of the interactions with other policies might ultimately be in play. But after applying this was the moment I could connect and list bucket contents without getting "Permission denied".

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like