How do I assign an IAM role for SFTP access in AWS?
In this guide, we will create an IAM role in AWS that grants SFTP access to client and developer accounts. We will define the IAM role, attach the necessary policies, and create IAM users who will assume this role for SFTP access.
import * as aws from "@pulumi/aws";
// Define the IAM policy for SFTP access
const sftpPolicy = new aws.iam.Policy("sftpPolicy", {
description: "Policy for SFTP access",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
Resource: [
"arn:aws:s3:::your-sftp-bucket",
"arn:aws:s3:::your-sftp-bucket/*"
]
},
{
Effect: "Allow",
Action: [
"transfer:ListServers",
"transfer:DescribeServer",
"transfer:ListUsers",
"transfer:DescribeUser",
"transfer:CreateUser",
"transfer:UpdateUser",
"transfer:DeleteUser"
],
Resource: "*"
}
]
})
});
// Create the IAM role for SFTP access
const sftpRole = new aws.iam.Role("sftpRole", {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
Service: "transfer.amazonaws.com",
}),
description: "IAM role for SFTP access"
});
// Attach the SFTP policy to the IAM role
const sftpRolePolicyAttachment = new aws.iam.RolePolicyAttachment("sftpRolePolicyAttachment", {
role: sftpRole.name,
policyArn: sftpPolicy.arn,
});
// Create IAM users for clients and developers
const clientUser = new aws.iam.User("clientUser", { name: "clientUser" });
const developerUser = new aws.iam.User("developerUser", { name: "developerUser" });
// Create access keys for the IAM users
const clientAccessKey = new aws.iam.AccessKey("clientAccessKey", { user: clientUser.name });
const developerAccessKey = new aws.iam.AccessKey("developerAccessKey", { user: developerUser.name });
// Attach the IAM role to the users
const clientRolePolicyAttachment = new aws.iam.UserPolicyAttachment("clientRolePolicyAttachment", {
user: clientUser.name,
policyArn: sftpPolicy.arn,
});
const developerRolePolicyAttachment = new aws.iam.UserPolicyAttachment("developerRolePolicyAttachment", {
user: developerUser.name,
policyArn: sftpPolicy.arn,
});
// Export the access key IDs and secret access keys for the users
export const clientAccessKeyId = clientAccessKey.id;
export const clientSecretAccessKey = clientAccessKey.secret;
export const developerAccessKeyId = developerAccessKey.id;
export const developerSecretAccessKey = developerAccessKey.secret;
Key Points
- An IAM policy is created to define permissions for SFTP access to an S3 bucket and AWS Transfer Family services.
- An IAM role is created and configured to assume the SFTP policy.
- IAM users for clients and developers are created, and the SFTP role is attached to these users.
- Access keys for the users are created and exported for use.
Summary
We have created an IAM role with a policy granting SFTP access to an S3 bucket and AWS Transfer Family services. We then created IAM users for clients and developers and attached the SFTP role to them. Finally, we generated access keys for these users to enable SFTP access.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.