无法读取目录：使用 AWS SFTP 时权限被拒绝

Question

我正在尝试使用缩小策略设置一个简单的 AWS SFTP 服务器，但在尝试 put 和 get 时不断收到权限被拒绝错误。

这是具有通用 S3 存储桶访问权限的 IAM 角色：

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::SOME-EXAMPLE-BUKCET"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET/*"
        }
    ]
}

这是我在 SFTP 面板中创建用户时附加给用户的缩小策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:UserName}/*",
                        "${transfer:UserName}"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::${transfer:HomeDirectory}/*",
                "arn:aws:s3:::${transfer:HomeDirectory}*"
            ]
        }
    ]
}

目标是让用户登录并登陆他们的主目录，并拥有对该目录的读/写/删除权限。我尝试了以下链接中的各种策略，但从未完全得到我需要的：

Connecting to AWS Transfer for SFTP

https://docs.aws.amazon.com/transfer/latest/userguide/users.html

https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html

我要么根本无法访问，要么一切都被拒绝（即甚至不能ls）。或者我可以ls 但不能做任何其他事情，比如mkdir, put, get, 等等......

Answer 1

在缩小范围的策略中，为什么要在 ListBucket 条件中使用 transfer:UserName 而不是像在 Put/Get/DeleteObject 语句中那样使用 transfer:HomeDirectory？用户的 HomeDirectory 和用户名一样吗？

当你尝试这样的事情时会发生什么？

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:HomeDirectory}/*",
                        "${transfer:HomeDirectory}"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::SOME-EXAMPLE-BUCKET"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::${transfer:HomeDirectory}/*",
                "arn:aws:s3:::${transfer:HomeDirectory}*"
            ]
        }
    ]
}

Answer 2

不要在范围向下的策略中使用 ${transfer:Username}。此外，请确保将其指定为机密管理器中的策略密钥。

我已经在此处记录了完整的设置以供您参考 - https://coderise.io/sftp-on-aws-with-username-and-password/