Question

我正在尝试使用范围缩小的策略设置一个简单的AWS SFTP服务器，但是在尝试put和get时，总是出现权限被拒绝的错误。

这是具有通用S3存储桶访问权限的IAM角色：

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::SOME-EXAMPLE-BUKCET"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET/*"
        }
    ]
}

这是在SFTP面板中创建该策略时会附加到用户的范围缩小的策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:UserName}/*",
                        "${transfer:UserName}"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::${transfer:HomeDirectory}/*",
                "arn:aws:s3:::${transfer:HomeDirectory}*"
            ]
        }
    ]
}

目标是使用户登录并进入其主目录，并对该目录具有读/写/删除权限。我从以下链接尝试了各种策略，但从没有得到我所需要的：

Connecting to AWS Transfer for SFTP

https://docs.aws.amazon.com/transfer/latest/userguide/users.html

https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html

我总是根本无法访问，并且一切都被拒绝（即甚至无法ls）。或者我可以ls但不能做其他任何事情，例如mkdir, put, get,等...

Answer 1

在缩小范围的策略中，为什么要在ListBucket条件中使用transfer：UserName而不是像Put / Get / DeleteObject语句中那样使用transfer：HomeDirectory？用户的HomeDirectory与用户名相同吗？

尝试这种方法会发生什么？

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:HomeDirectory}/*",
                        "${transfer:HomeDirectory}"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::${transfer:HomeDirectory}/*",
                "arn:aws:s3:::${transfer:HomeDirectory}*"
            ]
        }
    ]
}

Answer 2

请勿在范围缩小策略中使用$ {transfer：Username}。另外，请确保在机密管理器中将其指定为策略密钥。

我已经在此处记录了完整的设置，以备您参考-https://coderise.io/sftp-on-aws-with-username-and-password/

无法读取目录：使用AWS SFTP时权限被拒绝

2 个答案: