How do I set up an AWS IAM role for SFTP with client and dev accounts?
In this guide, we will set up an AWS IAM role that allows SFTP access for client and dev accounts. This role will assume specific permissions required for SFTP operations. We will define the IAM role, attach the necessary policies, and configure trust relationships.
Key Points:
- IAM Role: We define an IAM role that can be assumed by SFTP users.
- Policies: Attach necessary policies to the role for SFTP operations.
- Trust Relationships: Define which entities can assume this role.
Pulumi Program
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Define the IAM role
const sftpRole = new aws.iam.Role("sftpRole", {
assumeRolePolicy: {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: {
Service: "transfer.amazonaws.com"
},
Action: "sts:AssumeRole"
}
]
}
});
// Attach policies to the IAM role
const sftpPolicy = new aws.iam.RolePolicy("sftpPolicy", {
role: sftpRole.id,
policy: {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
Resource: [
"arn:aws:s3:::your-sftp-bucket",
"arn:aws:s3:::your-sftp-bucket/*"
]
}
]
}
});
// Define a user for client access
const clientUser = new aws.iam.User("clientUser");
// Define a user for dev access
const devUser = new aws.iam.User("devUser");
// Attach the IAM role to the client user
const clientUserRoleAttachment = new aws.iam.UserPolicyAttachment("clientUserRoleAttachment", {
user: clientUser.name,
policyArn: sftpRole.arn
});
// Attach the IAM role to the dev user
const devUserRoleAttachment = new aws.iam.UserPolicyAttachment("devUserRoleAttachment", {
user: devUser.name,
policyArn: sftpRole.arn
});
// Export the role ARN
export const sftpRoleArn = sftpRole.arn;
Summary
In this guide, we created an IAM role with policies that allow SFTP operations. We also defined trust relationships and attached the role to client and dev users. This setup ensures that specified users have the necessary permissions to perform SFTP operations on designated S3 buckets.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.