Hi fellas!! I followed the instructions from:
[https://docs.aws.amazon.com/transfer/latest/userguide/custom-identity-provider-users.html#custom-lambda-idp] (Working with custom identity providers)
[https://docs.aws.amazon.com/transfer/latest/userguide/custom-identity-provider-users.html#authentication-lambda-examples] (Default Lambda Functions)
but the lambda function fails:
I used a template through Cloudformation:
- aws-transfer-custom-idp-secrets-manager-lambda.template.yml
The error I get when a ftps client try to LOG IN is:
Error Talking to SecretsManager: ResourceNotFoundException, Message: An error occurred (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets Manager can't find the specified secret.
The lambda function has a related Rol with the Permissions Policies:
IAMFullAccess
AWSLambdaBasicExecutionRole
SecretsManagerReadWrite
and a Customer inline:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:eu-west-2:#NUMBER#:secret:aws/transfer/*",
"Effect": "Allow"
}
]
}
The parameter SecretId that the errored function receives (client.get_secret_value(SecretId=id)) is by concatenating "aws/transfer/" + input_serverId + "/" + input_username
The input IAM user (input_username) has the Policies:
AmazonS3FullAccess
AmazonS3ObjectLambdaExecutionRolePolicy
AWSLambda_FullAccess
AWSLambdaBasicExecutionRole
AWSLambdaExecute
AWSTransferFullAccess
AWSTransferLoggingAccess
and a Customer inline:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadWriteS3",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::#S3_BUCKET_ID#"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": [
"arn:aws:s3:::#S3_BUCKET_ID#/*"
]
}
]
}
Which could be the problem?
Hi Didier, first thanks for your prompt answer. Indeed, I modified the lambda code to write out the SecredId ("aws/transfer/"+input_serverId+"/"+input_username) --> aws/transfer/s-dcf3160ff0fb40c3a/camera_lambda I don't know if that concatenation (provided by the template) is the right way to build the ARN, because doesn't look like an ARN structure (but is an 'alias'?) . The CFN stack creates a LambdaExecutionRole, with the policy LambdaSecretPolicy related with a Resource:
Fn::Sub: - arn:${AWS::Partition}:secretsmanager:${SecretsRegion}:${AWS::AccountId}:secret:aws/transfer/*
I guess, following your advisement, that would be the structure that the function should build. I will try it, and let you know the result.
Thank you!
The CFN template Stack didn't have any Secret Name creation, so I did it in the Secret Manager by my own. Now the function works, returning the proper ['HomeDirectory'] and resp_data['Role'], Role that has permissions:
2 - Other costumer inline: { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadWriteS3", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::arantec-ftp" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectTagging", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectVersionTagging", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": [ "arn:aws:s3:::arantec-ftp/*" ] } ] }
The Managed workflows execution role is the proper one and the workflow access to the "arn:aws:s3:::arantec-ftp/*". But the FTPS client can't access to the S3 resource, returning "530 Authentication failed." I don't know where it could be the error... keep trying.