Setting up SFTP access to Amazon S3 via AWS Transfer
TypeScriptTo set up SFTP access to Amazon S3 via AWS Transfer using Pulumi in TypeScript, you'll need to create a few AWS resources:
- An S3 Bucket: This is where the files will be stored.
- An IAM Role: This role will be used by AWS Transfer to access your S3 bucket.
- An AWS Transfer Server: This server will allow SFTP access to the S3 bucket.
- A User for AWS Transfer Server: This user will have permissions to access the S3 Bucket over SFTP.
Here's a breakdown of how you can create these resources using Pulumi:
- The
aws.s3.Bucket
resource is used to create an S3 bucket. - The
aws.iam.Role
andaws.iam.RolePolicyAttachment
resources create an IAM role with the necessary permissions to allow AWS Transfer to interact with the S3 bucket. - The
aws.transfer.Server
resource creates an SFTP server using the AWS Transfer service. - The
aws.transfer.User
resource creates a user with an SSH public key that you must provide for SFTP access to the S3 bucket through the AWS Transfer server.
Below is the code that puts all of these pieces together. Make sure to replace the placeholder variables (like
YOUR_SSH_PUBLIC_KEY
,MY_TRANSFER_SERVER_IAM_ROLE
, andMY_TRANSFER_SERVER_BUCKET_POLICY
) with actual values.import * as pulumi from '@pulumi/pulumi'; import * as aws from '@pulumi/aws'; // Create an S3 Bucket. const s3Bucket = new aws.s3.Bucket('my-s3-bucket', { acl: 'private', // Sets the access to the bucket to private }); // Create an IAM role which AWS Transfer will assume to manage files in S3. const s3TransferRole = new aws.iam.Role('s3-transfer-role', { assumeRolePolicy: JSON.stringify({ Version: '2012-10-17', Statement: [ { Effect: 'Allow', Principal: { Service: 'transfer.amazonaws.com', // Allows the AWS Transfer service to assume this role }, Action: 'sts:AssumeRole', }, ], }), }); // Attach the AWS managed policy which provides full S3 access to the role. const rolePolicyAttachment = new aws.iam.RolePolicyAttachment('s3-transfer-role-policy-attachment', { role: s3TransferRole.name, policyArn: 'arn:aws:iam::aws:policy/AmazonS3FullAccess', // Grants full access to S3 to this role }); // Create an AWS Transfer Server (SFTP). const sftpServer = new aws.transfer.Server('sftp-server', { protocols: ['SFTP'], // Specifies the protocols allowed (in this case, only SFTP) identityProviderType: 'SERVICE_MANAGED', // Indicates that AWS will manage the identity provider loggingRole: s3TransferRole.arn, // Specifies the role for logging (can be the same role created earlier) }); // SSH public key for the AWS Transfer user. const sshPublicKey = 'YOUR_SSH_PUBLIC_KEY'; // Create a user for AWS Transfer Server with permissions to access the S3 Bucket. const sftpUser = new aws.transfer.User('sftp-user', { serverId: sftpServer.id, roleName: s3TransferRole.name, // Specifies the role which has S3 access homeDirectory: pulumi.interpolate`/${s3Bucket.id}`, // Specifies the S3 path for the user's home directory sshPublicKeys: [sshPublicKey], // An array of allowed SSH public keys for this user }); // Export the bucket name and server endpoint details. export const bucketName = s3Bucket.id; export const sftpServerEndpoint = sftpServer.endpoint;
This program configures the S3 bucket as private to ensure files are not publicly accessible. It sets up the IAM role for AWS Transfer to interact safely with the S3 bucket. It establishes an SFTP server to facilitate file transfer over SFTP protocol. An AWS Transfer user is configured with an SSH public key to authenticate to this SFTP server and access the designated S3 bucket.
To run this Pulumi program, you need to replace
YOUR_SSH_PUBLIC_KEY
with the actual public key of the user who needs SFTP access. Also, make sure the AWS CLI is installed and configured with the necessary access credentials, and Pulumi CLI is installed.Running this program will provision the resources in your AWS account and output the S3 bucket name and the endpoint of the SFTP server, so you can connect using any standard SFTP client like FileZilla or WinSCP using the user's private key paired with the public key you provided.