Skip to content

Instantly share code, notes, and snippets.

@limitusus limitusus/sftp.rb
Created Feb 19, 2019

Embed
What would you like to do?
AWS Transfer for SFTP miam configuration
# SFTP Log (logging role)
role 'sftp-logging', path: '/' do
IamSupport.assume_role_policy_for_service(self, ['transfer.amazonaws.com'])
attached_managed_policies(
'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess',
)
end
# SFTP service for S3 access (user role)
role 'sftp-s3', path: '/' do
IamSupport.assume_role_policy_for_service(self, ['transfer.amazonaws.com'])
attached_managed_policies(
"arn:aws:iam::#{MY_ACCOUNT_ID}:policy/sftp-bw",
)
end
# base user policy independent on user, bucket-wide privileges
managed_policy 'sftp-bw', path: '/' do
{
'Version' => '2012-10-17',
'Statement' => [
{
'Effect' => 'Allow',
'Action' => [
's3:ListBucket',
's3:GetBucketLocation',
],
'Resource' => ['arn:aws:s3:::mybucket'],
},
{
'Effect' => 'Allow',
'Action' => [
's3:PutObject',
's3:GetObject',
's3:DeleteObject',
],
'Resource' => ['arn:aws:s3:::mybucket/*'],
}
]
}
end
managed_policy 'sftp-alice', path: '/' do
{
'Version' => '2012-10-17',
'Statement' => [
{
'Sid' => 'AllowListingOfUserFolder',
'Effect' => 'Allow',
'Action' => [
's3:ListBucket',
],
'Resource' => [
'arn:aws:s3:::${transfer:HomeBucket}',
],
'Condition' => {
'StringLike' => {
's3:prefix' => [
'${transfer:HomeFolder}/*',
'${transfer:HomeFolder}',
],
},
},
},
{
'Sid' => 'HomeDirObjectAccess',
'Effect' => 'Allow',
'Action' => [
's3:GetObject',
's3:GetObjectVersion',
's3:PutObject',
's3:DeleteObject',
's3:DeleteObjectVersion',
],
'Resource' => 'arn:aws:s3:::${transfer:HomeDirectory}/*',
},
],
}
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.