[英]Couldn't read directory: Permission denied when using AWS SFTP
I am trying to set up a simple AWS SFTP server with a scoped-down policy but keep getting permission denied errors when trying to put
and get
.我正在尝试使用范围缩小的策略设置一个简单的 AWS SFTP 服务器,但在尝试
put
和get
时不断收到权限被拒绝错误。
Here is IAM Role with generic S3 bucket access:这是具有通用 S3 存储桶访问权限的 IAM 角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::SOME-EXAMPLE-BUKCET"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET/*"
}
]
}
And this is the scoped-down policy which I attach to the user when I create it in the SFTP panel:这是我在 SFTP 面板中创建它时附加给用户的范围缩小策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${transfer:HomeBucket}",
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:UserName}/*",
"${transfer:UserName}"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${transfer:HomeDirectory}/*",
"arn:aws:s3:::${transfer:HomeDirectory}*"
]
}
]
}
The goal is for a user to log in and land in their home directory with read/write/delete permissions for just that directory.目标是让用户登录并登陆他们的主目录,并拥有对该目录的读/写/删除权限。 I've tried various policies from the following links but never quite get what I need:
我尝试了以下链接中的各种策略,但从未完全得到我需要的东西:
Connecting to AWS Transfer for SFTP 连接到 AWS Transfer for SFTP
https://docs.aws.amazon.com/transfer/latest/userguide/users.html https://docs.aws.amazon.com/transfer/latest/userguide/users.html
https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html
I always either get no access at all and everything is denied (ie can't even ls
).我总是要么根本无法访问,要么一切都被拒绝(即甚至不能
ls
)。 Or I can ls
but can't do anything else like mkdir, put, get,
etc...或者我可以
ls
但不能做任何其他事情,比如mkdir, put, get,
等......
In the scoped-down policy, why do you use transfer:UserName in the ListBucket condition rather than transfer:HomeDirectory like in the Put/Get/DeleteObject statement?在范围缩小的策略中,为什么要在 ListBucket 条件中使用 transfer:UserName 而不是像在 Put/Get/DeleteObject 语句中那样使用 transfer:HomeDirectory? Is the HomeDirectory of the user the same as its username?
用户的 HomeDirectory 是否与其用户名相同?
What happens when you try something like this?当你尝试这样的事情时会发生什么?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${transfer:HomeBucket}",
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeDirectory}/*",
"${transfer:HomeDirectory}"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${transfer:HomeDirectory}/*",
"arn:aws:s3:::${transfer:HomeDirectory}*"
]
}
]
}
Do not use ${transfer:Username} in the scoped down policy.不要在范围向下的策略中使用 ${transfer:Username}。 Also, make sure you specify it as Policy key within secrets manager.
此外,请确保将其指定为机密管理器中的策略密钥。
I have documented the full setup here in case you need to reference it - https://coderise.io/sftp-on-aws-with-username-and-password/我在这里记录了完整的设置,以防您需要参考它 - https://coderise.io/sftp-on-aws-with-username-and-password/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.