admin管理员组文章数量:1131210
I have deployed WebApp successfully and was able to see S3 objects on the WebApp Console with SSO login. But that does not fulfill our final requirement so updating all steps for help if you anyone has used similar scenario before.
I have created webApp with Identity Center integration and here is IAM Role attached to WebApp IAM Role: AWSTransferWebAppIdentityBearer-us-west-2 Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws"
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
]
}
]
}
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetDataAccess",
"s3:ListCallerAccessGrants",
"s3:ListAccessGrantsInstances"
],
"Resource": "*"
}
]
}
Created S3 bucket with CORS and bucket Policy:
# S3 Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111111:role/service-role/AWSTransferWebAppIdentityBearer-us-west-2"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::webappbucket",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:username}/*"
}
}
}
]
}
Cross-origin resource sharing (CORS)
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT",
"POST",
"DELETE",
"HEAD"
],
"AllowedOrigins": [
";
],
"ExposeHeaders": [
"last-modified",
"content-length",
"etag",
"x-amz-version-id",
"content-type",
"x-amz-request-id",
"x-amz-id-2",
"date",
"x-amz-cf-id",
"x-amz-storage-class",
"access-control-expose-headers"
],
"MaxAgeSeconds": 3000
}
]
Created S3 grant instance with IAM Identity Center: Registered S3 Grant Location:
Grant Location IAM Role: AWSTransferWebAppIdentityAccessGrantLocation Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "access-grants.s3.amazonaws"
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
]
}
]
}
IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ObjectLevelReadPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "1111111111"
},
"ArnEquals": {
"s3:AccessGrantsInstanceArn": [
"arn:aws:s3:us-west-2:1111111111:access-grants/default"
]
}
}
},
{
"Sid": "ObjectLevelWritePermissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "1111111111"
},
"ArnEquals": {
"s3:AccessGrantsInstanceArn": [
"arn:aws:s3:us-west-2:1111111111:access-grants/default"
]
}
}
},
{
"Sid": "BucketLevelReadPermissions",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "1111111111"
},
"ArnEquals": {
"s3:AccessGrantsInstanceArn": [
"arn:aws:s3:us-west-2:1111111111:access-grants/default"
]
}
}
},
{
"Sid": "KMSPermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"*"
]
}
]
}
I have two folder in S3 bucket for two users and both are accessible to both users. Trying to restrict folder list access to current logged in user only. Can somebody help if it is achievable in webapp configuration. WebApp feature is very basic, like college project.
本文标签: amazon web servicesTransfer Family Server S3 grant access based on federated SSO userStack Overflow
版权声明:本文标题:amazon web services - Transfer Family Server S3 grant access based on federated SSO user - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736765683a1951803.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论