amazon-web-services - 连接到适用于SFTP的AWS Transfer

我无法连接到AWS Transfer for SFTP。我成功设置了服务器，并尝试使用WinSCP进行连接。

我设置了具有信任关系的IAM角色，如下所示:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我使用主目录homebucket和主目录homedir将它与范围缩小策略described in the documentation配对

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListHomeDir",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}"
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}

我能够使用ssh密钥进行身份验证，但是当涉及到实际读取/写入文件时，我只是不断收到不透明的错误，如“错误查找homedir”和“readdir”失败。这一切都非常类似于我的IAM政策问题，但我无法弄清楚。

最佳答案

我们在将范围缩小策略与AWS Transfer上的用户一起使用时遇到类似的问题。对我们有用的解决方案是创建两种不同的策略。

附加到对整个存储桶具有一般权限的角色的策略。

适用于用户的范围缩小策略，该策略利用诸如{transfer:UserName}之类的传输服务变量。

我们得出的结论是，也许只有附加的策略才能解析传输服务变量。我们不确定这是否正确以及这是否是最佳解决方案，因为这在允许附加范围缩小策略以创建一种“admin”用户时会带来潜在的风险。因此，我很高兴能得到进一步的锁定。

查看传输用户详细信息时，它在控制台中的外观如下:

amazon-web-services - 连接到适用于SFTP的AWS Transfer-LMLPHP

这是我们使用的两个策略:
附加到IAM角色的一般政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-s3-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3::: my-s3-bucket/*"
        }
    ]
}

范围缩小政策适用于转移用户

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:UserName}/*",
                        "${transfer:UserName}"
                    ]
                }
            }
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}

关于amazon-web-services - 连接到适用于SFTP的AWS Transfer，我们在Stack Overflow上找到一个类似的问题：https://stackoverflow.com/questions/53642132/