Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I configure my Transfer Family server to use an Amazon EFS file system that's in another AWS account?
I want my AWS Transfer Family server in my AWS account to access an Amazon Elastic File System (Amazon EFS) file system in another account. I also want to set up my Transfer Family server with cross-account access to the Amazon EFS file system.
Resolution
Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
To configure your Transfer Family server, create an AWS Identity and Access Management (IAM) role in account A with access to the file system in account B. Then, create a Transfer Family server user that's configured with the IAM role in account A. Verify that your Transfer Family server user in account A can access the file system in account B.
Note: The AWS Transfer Family console shows only the Amazon EFS file system that's in the same account. To use your Transfer Family server with a file system that's in another account, use the AWS CLI or an AWS SDK.
Create an IAM role in account A with access to the file system
Create an IAM role for your server users. For the role's IAM policy, use the following policy statement:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RootFileSystemAccess", "Effect": "Allow", "Action": [ "elasticfilesystem:ClientRootAccess", "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Resource": "arn:aws:elasticfilesystem:region:accountB-id:file-system/file-system-id" } ] }
Add a policy in the file system for account B that gives permission to the IAM role from account A:
{ "Sid": "EFS-TransferFamily", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccounA-id:role/RoleName" }, "Action": [ "elasticfilesystem:ClientRootAccess", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientMount" ], "Resource": "arn:aws:elasticfilesystem:region:accountB-id:file-system/file-system-id" }
Create a Transfer Family server user with the IAM role in account A
Run the following create-user AWS CLI command to create a Transfer Family user:
aws transfer create-user --user-name "sftp" --server-id "SERVER-ID" --role "arn:aws:iam::accountA-id:role/RoleName" --home-directory "/file-system-id/username"
The command returns the server ID and the username.
Example output:
{ "ServerId": "MY_SERVER_ID", "UserName": "MY_SERVER_USER_NAME" }
Verify that your Transfer Family server user in account A can access the file system in account B
Complete the following steps:
-
Connect to your server as the user that you created. You can run the following sftp OpenSSH command to connect:
sftp -i myserveruser MY_SERVER_USER_NAME@MY_SERVER_ID.server.transfer.us-east-1.amazonaws.com -
List the home directory of the bucket. If you use OpenSSH, then run the ls command:
ls
If the command returns the home directory, then your server user has cross-account access to the Amazon EFS file system.
Related information
Change the line "Verify that your Transfer Family server user in account A can access the bucket in account B" to "Verify that your Transfer Family server user in account A can access the file system in account B"
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Contenus pertinents
- demandé il y a 2 ans
- demandé il y a 2 mois
- demandé il y a 2 ans
- demandé il y a 7 mois
- AWS OFFICIELA mis à jour il y a 10 mois
