1. Answers
  2. Setting AWS IAM Role for SFTP with Client and Dev Accounts

How Do I Set Up an AWS IAM Role for SFTP With Client and Dev Accounts?

Introduction

This guide provides a step-by-step approach to setting up an AWS IAM role for SFTP access, specifically designed for client and development accounts. By following these instructions, you will create an IAM role with the necessary permissions and trust relationships, allowing specific users to perform SFTP operations on designated S3 buckets.

Key Steps

  1. Define the IAM Role: Create an IAM role that SFTP users can assume.
  2. Attach Policies: Add policies to the role to enable SFTP operations.
  3. Configure Trust Relationships: Specify which entities are allowed to assume this role.
  4. Create Users: Define users for client and development access.
  5. Attach the Role to Users: Link the IAM role to the users for access.

Pulumi Program

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Define the IAM role
const sftpRole = new aws.iam.Role("sftpRole", {
    assumeRolePolicy: {
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Principal: {
                    Service: "transfer.amazonaws.com"
                },
                Action: "sts:AssumeRole"
            }
        ]
    }
});

// Attach policies to the IAM role
const sftpPolicy = new aws.iam.RolePolicy("sftpPolicy", {
    role: sftpRole.id,
    policy: {
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Action: [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject"
                ],
                Resource: [
                    "arn:aws:s3:::your-sftp-bucket",
                    "arn:aws:s3:::your-sftp-bucket/*"
                ]
            }
        ]
    }
});

// Define a user for client access
const clientUser = new aws.iam.User("clientUser");

// Define a user for dev access
const devUser = new aws.iam.User("devUser");

// Attach the IAM role to the client user
const clientUserRoleAttachment = new aws.iam.UserPolicyAttachment("clientUserRoleAttachment", {
    user: clientUser.name,
    policyArn: sftpRole.arn
});

// Attach the IAM role to the dev user
const devUserRoleAttachment = new aws.iam.UserPolicyAttachment("devUserRoleAttachment", {
    user: devUser.name,
    policyArn: sftpRole.arn
});

// Export the role ARN
export const sftpRoleArn = sftpRole.arn;

Summary

In this guide, we successfully set up an IAM role with the necessary policies for SFTP operations. We configured trust relationships and attached the role to both client and development users. This configuration ensures that these users have the required permissions to perform SFTP operations on specified S3 buckets, enhancing security and operational efficiency.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up