连接到 AWS Transfer for SFTP
[英]Connecting to AWS Transfer for SFTP
问题描述
I am having trouble connecting to AWS Transfer for SFTP .
我在连接到AWS Transfer for SFTP时遇到问题。 I successfully set up a server and tried to connect using WinSCP.我成功地设置了服务器并尝试使用 WinSCP 进行连接。
I set up an IAM role with trust relationships like follows:我设置了一个具有如下信任关系的 IAM 角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I paired this with a scope down policy as described in the documentation using a home directory homebucket and home directory homedir我将其与使用主目录homebucket和主目录homedir 的文档中所述的范围缩小策略配对
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListHomeDir",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::${transfer:HomeBucket}"
},
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}
I was able to authenticate using an ssh key, but when it came to actually reading/writing files I just kept getting opaque errors like "Error looking up homedir" and failed "readdir".我能够使用 ssh 密钥进行身份验证,但是当涉及到实际读取/写入文件时,我只是不断收到不透明的错误,例如“查找 homedir 时出错”和“readdir”失败。 This all smells very much like problems with my IAM policy but I haven't been able to figure it out.这一切闻起来很像我的 IAM 政策有问题,但我一直没能弄明白。
5 个解决方案
解决方案1
31 2019-01-10 15:53:30
We had similar issues getting the scope down policy to work with our users on AWS Transfer.我们在让范围缩小政策与我们的用户在 AWS Transfer 上合作时遇到了类似的问题。 The solution that worked for us, was creating two different kinds of policies.对我们有用的解决方案是制定两种不同的政策。
- Policy to attach to the role which has general rights on the whole bucket.附加到对整个存储桶具有一般权限的角色的策略。
- Scope down policy to apply to the user which makes use of the transfer service variables like
{transfer:UserName}.缩小策略以应用于使用{transfer:UserName}等传输服务变量的用户。
We concluded that maybe only the extra attached policy is able to resolve the transfer service variables .我们得出结论,也许只有额外的附加策略才能解决传输服务变量。 We are not sure if this is correct and if this is the best solution, because this opens the possible risk when forgiving to attach the scope down policy to create a kind of "admin" user.我们不确定这是否正确以及这是否是最佳解决方案,因为当允许附加范围缩小策略以创建一种“管理员”用户时,这会带来可能的风险。 So I'd be glad to get input to further lock this down a little bit.所以我很高兴收到意见以进一步锁定它。
Here is how it looks in my console when looking at the transfer user details:查看转移用户详细信息时,它在我的控制台中的外观如下:
Here are our two policies we use:以下是我们使用的两项政策:
General policy to attach to IAM role附加到 IAM 角色的一般策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-s3-bucket"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3::: my-s3-bucket/*"
}
]
}
Scope down policy to apply to transfer user适用于转移用户的范围缩小政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:UserName}/*",
"${transfer:UserName}"
]
}
}
},
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}
解决方案2
11 2018-12-06 10:08:58
I had a similar problem but with a different error behavior.我遇到了类似的问题,但错误行为不同。 I managed to log in successfully, but then the connection was almost immediately closed.我设法成功登录,但随后连接几乎立即关闭。 I did the following things:我做了以下事情:
- Make sure that the IAM role that allows bucket access also contains KMS access if your bucket is encrypted.如果您的存储桶已加密,请确保允许访问存储桶的 IAM 角色也包含 KMS 访问权限。
- Make sure that the trust relationship is also part of that role.确保信任关系也是该角色的一部分。
- Make sure that the server itself has a Cloudwatch role also with a trust relationship to transfer.amazonaws.com.确保服务器本身具有 Cloudwatch 角色,并且与 transfer.amazonaws.com 具有信任关系。 This was the solution for me, I don't get why this is needed but without the trust relationship in the Cloudwatch role.这是我的解决方案,我不明白为什么需要这样做,但没有 Cloudwatch 角色中的信任关系。 my connection get's closed.我的连接关闭了。
I hope that helps.我希望这有帮助。 Edit: Added a picture for the settings of the CloudWatch role:编辑:为 CloudWatch 角色的设置添加了一张图片:
The bucket policy for the IAM user role can look like this: IAM 用户角色的存储桶策略可能如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<your bucket>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your bucket>/*"
]
}
]
} }
Finally, also add a Trust Relationship as shown above for the user IAM role.最后,还为用户 IAM 角色添加如上所示的信任关系。
If you can connect to your sftp but then get a readdir error when trying to list contents, eg with the command "ls", then that's a sign that you have no bucket permission.如果您可以连接到您的 sftp,但在尝试列出内容时出现 readdir 错误,例如使用命令“ls”,则表明您没有存储桶权限。 If your connection get's closed right away it seems to be a Trust Relationship issue or a KMS issue.如果您的连接立即关闭,这似乎是信任关系问题或 KMS 问题。
解决方案3
2 2019-04-08 16:08:54
According to the somewhat cryptic documentation @limfinity was correct.根据有些神秘的文档,@limfinity 是正确的。 To scope down access you need a general Role/Policy combination granting access to see the bucket.要缩小访问范围,您需要一个通用的角色/策略组合来授予访问权限以查看存储桶。 This role gets applied to the SFTP user you create.此角色将应用于您创建的 SFTP 用户。 In addition you need a custom policy which grants CRUD rights only to the user's bucket.此外,您需要一个自定义策略,该策略仅向用户的存储桶授予 CRUD 权限。 The custom policy is also applied to the SFTP user.自定义策略也适用于 SFTP 用户。
From page 24 of this doc... https://docs.aws.amazon.com/transfer/latest/userguide/sftp.ug.pdf#page=28&zoom=100,0,776从本文档的第 24 页开始...... https://docs.aws.amazon.com/transfer/latest/userguide/sftp.ug.pdf#page=28&zoom=100,0,776
To create a scope-down policy, use the following policy variables in your IAM policy:要创建范围缩小策略,请在您的 IAM 策略中使用以下策略变量:
AWS Transfer for SFTP User Guide Creating a Scope-Down Policy AWS Transfer for SFTP 用户指南 创建范围缩小策略
• ${transfer:HomeBucket}
• ${transfer:HomeDirectory}
• ${transfer:HomeFolder}
• ${transfer:UserName}
Note You can't use the variables listed preceding as policy variables in an IAM role definition. Note 您不能将前面列出的变量用作 IAM 角色定义中的策略变量。 You create these variables in an IAM policy and supply them directly when setting up your user.您在 IAM 策略中创建这些变量,并在设置用户时直接提供它们。 Also, you can't use the ${aws:Username}variable in this scope-down policy.此外,您不能在此范围缩小策略中使用 ${aws:Username} 变量。 This variable refers to an IAM user name and not the user name required by AWS SFTP.此变量引用 IAM 用户名,而不是 AWS SFTP 所需的用户名。
解决方案4
1 2019-03-18 02:30:52
Can't comment, sorry if I'm posting incorrectly.无法评论,抱歉,如果我发错了。
Careful with AWS's default policy!小心 AWS 的默认策略!
This solution did work for me in that I was able to use scope-down policies for SFTP users as expected.该解决方案确实对我有用,因为我能够按预期对 SFTP 用户使用范围缩小策略。 However, there's a catch:但是,有一个问题:
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
This section of the policy will enable SFTP users using this policy to change directory to root and list all of your account's buckets.该策略的这一部分将使使用该策略的 SFTP 用户能够将目录更改为根目录并列出您帐户的所有存储桶。 They won't have access to read or write, but they can discover stuff which is probably unnecessary.他们无法读取或写入,但他们可以发现可能不需要的东西。 I can confirm that changing the above to:我可以确认将以上内容更改为:
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "${transfer:HomeBucket}"
},
... appears to prevent SFTP users from listing buckets. ...似乎阻止 SFTP 用户列出存储桶。 However, they can still cd to directories if they happen to know buckets that exist -- again they dont' have read/write but this is still unnecessary access.但是,如果他们碰巧知道存在的存储桶,他们仍然可以cd到目录——同样他们没有读/写权限,但这仍然是不必要的访问。 I'm probably missing something to prevent this in my policy.我可能在我的政策中遗漏了一些东西来防止这种情况发生。
Proper jailing appears to be a backlog topic: https://forums.aws.amazon.com/thread.jspa?threadID=297509&tstart=0适当的jailing似乎是一个积压的话题: https ://forums.aws.amazon.com/thread.jspa?threadID=297509&tstart=0
解决方案5
-1 2019-12-16 07:48:38
We were using the updated version of SFTP with Username and Password and had to spend quite some time to figure out all details.我们使用的是带有用户名和密码的更新版本的 SFTP,并且不得不花费相当多的时间来弄清楚所有细节。 For the new version, the Scope down policy needs to be specified as 'Policy' key within Secrets Manager.对于新版本,需要将范围缩小策略指定为 Secrets Manager 中的“策略”键。 This is very important for the whole flow to work.这对于整个流程的工作非常重要。
We have documented the full setup on our site here - https://coderise.io/sftp-on-aws-with-username-and-password/我们已经在我们的网站上记录了完整的设置 - https://coderise.io/sftp-on-aws-with-username-and-password/
Hope that helps!希望有帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.