By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWS SFTP Custom authentication with API Gateway and EFS as backend storage.

0

I'm following the cloud formation template provided the below URL to create AWS SFTP service with custom Identity Provider as APi Gateway and Secret Manager to store the user credentials. The API gateway to integrate between SFTP Transfer server and lambda function that processes the gateway request and queries the Secret Manager.
Is the password authentication with custom Identity Provider as API Gateway and EFS specifically supported in AWS? If so, can someone hint me as to how to configure the store in Secret Manager to configure the UID, GID, Secondary GID? I'm specifically looking for help on this.
Most of the documentation talks only about Transfer family with S3 as backend storage including the examples on scope down policy etc.. Any help on this requirement is highly appreciated.

https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-for-sftp-using-aws-secrets-manager/

asked 4 years ago1.5K views
2 Answers
0

Hello srinathaws@,

To answer your question, Yes, Custom IDP with EFS is supported by AWS Transfer Family.
In regards to your question for setting up custom IDP with EFS, you can use the following parameters for your User configuration: (Adding Key:Value pairs)

Password: <password>
Role: arn:aws:iam::<account-id>:role/sftp-efs-full-access
HomeDirectoryType: LOGICAL
HomeDirectoryDetails: [{"Entry": "/abc", "Target": "/<fs-id>/abc"}]
PosixProfile: {"Uid": 123, "Gid": 456,"SecondaryGids": []}

Further, the default Lambda code doesn't include PosixProfile in its response to API Gateway. And therefore, you would have to update it such that it fetches PosixProfile from Secrets Manager and forwards it. Following are 2 lines you can add within the Lambda code. Typically, you would want to add them at the same place where you fetch the Role details from the Secret.

Example: 

if 'Role' in resp_dict:
        resp_data['Role'] = resp_dict['Role']
    else:
        print("No field match for role - Set empty string in response")
        resp_data['Role'] = ''

if 'PosixProfile' in resp_dict:
        resp_data['PosixProfile'] = json.loads(resp_dict['PosixProfile'])

Let me know if you have questions.

  • Sagar
AWS
EXPERT
answered 4 years ago
0

Hello,

I have stored the "PosixProfile" in the Lambda code, but it only works with this syntax: if PosixProfile: posixprofile = lookup(secret_dict, "PosixProfile", input_protocol) if posixprofile: response_data["PosixProfile"] = json.loads(posixprofile)

Unfortunately, I can't connect to the EFS using FileZila: Error message in the log: AUTH_FAILURE Method=password User=-efs Message="HomeDirectory must be an absolute path starting with '/'" SourceIP=

I have the assumption that something has changed with these keys: HomeDirectoryType: LOGICAL HomeDirectoryDetails: [{"Entry": "/abc", "Target": "/<fs-id>/abc"}]

I followed this guide: https://aws.amazon.com/en/blogs/storage/enable-password-authentication-for-aws-transfer-family-using-aws-secrets-manager-updated/

BR

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions