permission denied on AWS Transfer on SFTP server

I can log into my server with cyberduck or filezilla but cannot read my homedirectory. s3 bucket "mybucket" exists. In cyber duck I see

"Cannot readdir on root. Please contact your web hosting service provider for assistance." and in Filezilla "Error: Reading directory .: permission denied"

even though I can connect to server.

Am I missing some user permission in the policies below ?

These are my permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::MYBUCKET"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::MYBUCKET/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "transfer:*",
            "Resource": "*"
        }
    ]
}

These are my trust relationships:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "transfer.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

user11020868

Posted 2019-03-25T06:02:45.513

Reputation: 29

Do you use AWS SFTP? You haven't mentioned it in the question – Jude Niroshan – 2019-03-25T14:15:13.590

Yes, I am using aws sftp. – user11020868 – 2019-03-26T02:51:17.373

Answers

User Role should be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}

Trust relationship of User:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Home directory for your user should be /BUCKET_NAME

Algeriassic

Posted 2019-03-25T06:02:45.513

Reputation: 723

This should be the accepted answer! – Jude Niroshan – 2019-03-26T17:03:22.053

Thanks, this resolves my issue. – user11020868 – 2019-03-28T01:15:11.237

This answer just saved me a lot of heartache. I was setting up SFTP and my default role/policy had a trust relationship with s3.amazonaws.com. Connecting would give me an error stating "Unable to AssumeRole". The real problem was that I needed a trust relationship with transfer.amazonaws.com instead of s3.amazonaws.com . – Warren Krewenki – 2019-04-17T15:27:10.420

Please mark it as the accepted answer. – Algeriassic – 2019-04-18T15:20:40.093

I want to allow user only to Put objects i.e remove "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" But with that I cannot list objects in the Home directory, Any solution to resolve this greatly appreciated? – user1393608 – 2019-11-06T06:12:40.407