堆栈内存溢出
  简体   繁体   English

无法读取目录:使用 AWS SFTP 时权限被拒绝

[英]Couldn't read directory: Permission denied when using AWS SFTP

 原文  2019-10-28 22:41:02       amazon-web-services/ amazon-s3/ sftp/ amazon-iam

问题描述

I am trying to set up a simple AWS SFTP server with a scoped-down policy but keep getting permission denied errors when trying to put and get .我正在尝试使用范围缩小的策略设置一个简单的 AWS SFTP 服务器,但在尝试putget时不断收到权限被拒绝错误。

Here is IAM Role with generic S3 bucket access:这是具有通用 S3 存储桶访问权限的 IAM 角色:

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::SOME-EXAMPLE-BUKCET"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET/*"
        }
    ]
}

And this is the scoped-down policy which I attach to the user when I create it in the SFTP panel:这是我在 SFTP 面板中创建它时附加给用户的范围缩小策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:UserName}/*",
                        "${transfer:UserName}"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::${transfer:HomeDirectory}/*",
                "arn:aws:s3:::${transfer:HomeDirectory}*"
            ]
        }
    ]
}

The goal is for a user to log in and land in their home directory with read/write/delete permissions for just that directory.目标是让用户登录并登陆他们的主目录,并拥有对该目录的读/写/删除权限。 I've tried various policies from the following links but never quite get what I need:我尝试了以下链接中的各种策略,但从未完全得到我需要的东西:

Connecting to AWS Transfer for SFTP 连接到 AWS Transfer for SFTP

https://docs.aws.amazon.com/transfer/latest/userguide/users.html https://docs.aws.amazon.com/transfer/latest/userguide/users.html

https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html

I always either get no access at all and everything is denied (ie can't even ls ).我总是要么根本无法访问,要么一切都被拒绝(即甚至不能ls )。 Or I can ls but can't do anything else like mkdir, put, get, etc...或者我可以ls但不能做任何其他事情,比如mkdir, put, get,等......

2 个解决方案

解决方案1
 0  2019-10-29 01:35:50

In the scoped-down policy, why do you use transfer:UserName in the ListBucket condition rather than transfer:HomeDirectory like in the Put/Get/DeleteObject statement?在范围缩小的策略中,为什么要在 ListBucket 条件中使用 transfer:UserName 而不是像在 Put/Get/DeleteObject 语句中那样使用 transfer:HomeDirectory? Is the HomeDirectory of the user the same as its username?用户的 HomeDirectory 是否与其用户名相同?

What happens when you try something like this?当你尝试这样的事情时会发生什么?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:HomeDirectory}/*",
                        "${transfer:HomeDirectory}"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::${transfer:HomeDirectory}/*",
                "arn:aws:s3:::${transfer:HomeDirectory}*"
            ]
        }
    ]
}

解决方案2
 -1  2019-12-16 07:51:43

Do not use ${transfer:Username} in the scoped down policy.不要在范围向下的策略中使用 ${transfer:Username}。 Also, make sure you specify it as Policy key within secrets manager.此外,请确保将其指定为机密管理器中的策略密钥。

I have documented the full setup here in case you need to reference it - https://coderise.io/sftp-on-aws-with-username-and-password/我在这里记录了完整的设置,以防您需要参考它 - https://coderise.io/sftp-on-aws-with-username-and-password/

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法通过 FileZilla/SFTP 删除 AWS Lightsail 上的文件,权限被拒绝 - Cannot delete files on AWS Lightsail via FileZilla/SFTP, permission denied 在AWS设置上使用Fastai库时保持拒绝获得权限 - Keep Getting Permission denied when using fastai library on AWS setting 权限被拒绝(公钥)。 连接 AWS 服务器时 - Permission denied (publickey). when connecting to AWS sever 使用KMS加密密钥时,无法使用AWS Transfer for SFTP读取或写入任何文件 - Unable to read or write any files using AWS Transfer for SFTP when using KMS encryption key 从 AWS CodePipeline 调用 AWS Lambda function 时权限被拒绝 - Permission denied when calling AWS Lambda function from AWS CodePipeline AWS CLI 权限被拒绝? - AWS CLI permission denied? AWS Organizations 权限被拒绝 - AWS Organizations permission denied AWS权限被拒绝(公钥) - AWS Permission denied (publickey) 权限被拒绝(公钥)AWS - Permission Denied (publickey) AWS 尝试使用 GCP IAM 身份验证从 Vault 读取机密时出现 403 权限被拒绝 - 403 Permission Denied when trying to read Secrets from Vault using GCP IAM auth
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM