By using AWS re:Post, you agree to the AWS re:Post Terms of Use

FTPS - Lambda - Transfer Family - S3

0

Hi fellas!! I followed the instructions from:

[https://docs.aws.amazon.com/transfer/latest/userguide/custom-identity-provider-users.html#custom-lambda-idp] (Working with custom identity providers)

[https://docs.aws.amazon.com/transfer/latest/userguide/custom-identity-provider-users.html#authentication-lambda-examples] (Default Lambda Functions)

but the lambda function fails: I used a template through Cloudformation:

  • aws-transfer-custom-idp-secrets-manager-lambda.template.yml

The error I get when a ftps client try to LOG IN is:

Error Talking to SecretsManager: ResourceNotFoundException, Message: An error occurred (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets Manager can't find the specified secret.

The lambda function has a related Rol with the Permissions Policies: IAMFullAccess AWSLambdaBasicExecutionRole SecretsManagerReadWrite and a Customer inline:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:eu-west-2:#NUMBER#:secret:aws/transfer/*",
            "Effect": "Allow"
        }
    ]
}

The parameter SecretId that the errored function receives (client.get_secret_value(SecretId=id)) is by concatenating "aws/transfer/" + input_serverId + "/" + input_username

The input IAM user (input_username) has the Policies:

AmazonS3FullAccess AmazonS3ObjectLambdaExecutionRolePolicy AWSLambda_FullAccess AWSLambdaBasicExecutionRole AWSLambdaExecute AWSTransferFullAccess AWSTransferLoggingAccess and a Customer inline:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteS3",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::#S3_BUCKET_ID#"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::#S3_BUCKET_ID#/*"
            ]
        }
    ]
}

Which could be the problem?

1 Answer
1

Hi,

you should - at least for debug - modify your lambda to log in CloudWatch the ARN of the secret that it tries to access in Secret Manager and see if it matches with the ARN of the secret created by your CFN stack.

ResourceNotFoundException usually means that the resource doesn't exist and not that you don't have the rights to access it.

Best, Didier

profile pictureAWS
EXPERT
answered a year ago
  • Hi Didier, first thanks for your prompt answer. Indeed, I modified the lambda code to write out the SecredId ("aws/transfer/"+input_serverId+"/"+input_username) --> aws/transfer/s-dcf3160ff0fb40c3a/camera_lambda I don't know if that concatenation (provided by the template) is the right way to build the ARN, because doesn't look like an ARN structure (but is an 'alias'?) . The CFN stack creates a LambdaExecutionRole, with the policy LambdaSecretPolicy related with a Resource:

    Fn::Sub: - arn:${AWS::Partition}:secretsmanager:${SecretsRegion}:${AWS::AccountId}:secret:aws/transfer/*

    I guess, following your advisement, that would be the structure that the function should build. I will try it, and let you know the result.

    Thank you!

  • The CFN template Stack didn't have any Secret Name creation, so I did it in the Secret Manager by my own. Now the function works, returning the proper ['HomeDirectory'] and resp_data['Role'], Role that has permissions:

    • AmazonS3FullAccess, AWSTransferConsoleFullAccess, AWSTransferFullAccess, AmazonS3ObjectLambdaExecutionRolePolicy, SimpleWorkflowFullAccess and a couple costumer inline: 1- { "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "AllowTransferInvocation", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-west-2:#NUMBER#:function:FTP-CAMERA-GetUserConfigLambda-XxgZvF5o7nst", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:transfer:eu-west-2:#NUMBER#:server/s-dcf3160ff0fb40c3a" } } } ] }
  • 2 - Other costumer inline: { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadWriteS3", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::arantec-ftp" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectTagging", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectVersionTagging", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": [ "arn:aws:s3:::arantec-ftp/*" ] } ] }

  • The Managed workflows execution role is the proper one and the workflow access to the "arn:aws:s3:::arantec-ftp/*". But the FTPS client can't access to the S3 resource, returning "530 Authentication failed." I don't know where it could be the error... keep trying.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions