AWS Transfer for SFTP

2019/10/28 - AWS Transfer for SFTP - 4 updated api methods

Changes  This release adds logical directories support to your AWS SFTP server endpoint, so you can now create logical directory structures mapped to Amazon Simple Storage Service (Amazon S3) bucket paths for users created and stored within the service. Amazon S3 bucket names and paths can now be hidden from AWS SFTP users, providing an additional level of privacy to meet security requirements. You can lock down your SFTP users' access to designated folders (commonly referred to as 'chroot'), and simplify complex folder structures for data distribution through SFTP without replicating files across multiple users.

CreateUser (updated) Link ¶
Changes (request)
{'HomeDirectoryMappings': [{'Entry': 'string', 'Target': 'string'}],
 'HomeDirectoryType': 'PATH | LOGICAL'}

Creates a user and associates them with an existing Secure File Transfer Protocol (SFTP) server. You can only create and associate users with SFTP servers that have the IdentityProviderType set to SERVICE_MANAGED . Using parameters for CreateUser , you can specify the user name, set the home directory, store the user's public key, and assign the user's AWS Identity and Access Management (IAM) role. You can also optionally add a scope-down policy, and assign metadata with tags that can be used to group and search for users.

See also: AWS API Documentation

Request Syntax

client.create_user(
    HomeDirectory='string',
    HomeDirectoryType='PATH'|'LOGICAL',
    HomeDirectoryMappings=[
        {
            'Entry': 'string',
            'Target': 'string'
        },
    ],
    Policy='string',
    Role='string',
    ServerId='string',
    SshPublicKeyBody='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    UserName='string'
)
type HomeDirectory

string

param HomeDirectory

The landing directory (folder) for a user when they log in to the server using their SFTP client.

An example is <your-Amazon-S3-bucket-name>/home/username .

type HomeDirectoryType

string

param HomeDirectoryType

The type of landing directory (folder) you want your users' home directory to be when they log into the SFTP server. If you set it to PATH , the user will see the absolute Amazon S3 bucket paths as is in their SFTP clients. If you set it LOGICAL , you will need to provide mappings in the HomeDirectoryMappings for how you want to make S3 paths visible to your user.

type HomeDirectoryMappings

list

param HomeDirectoryMappings

Logical directory mappings that specify what S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the "Entry " and "Target " pair, where Entry shows how the path is made visible and Target is the actual S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your AWS IAM Role provides access to paths in Target . The following is an example.

'[ "/bucket2/documentation", { "Entry": "your-personal-report.pdf", "Target": "/bucket3/customized-reports/${transfer:UserName}.pdf" } ]'

In most cases, you can use this value instead of the scope down policy to lock your user down to the designated home directory ("chroot"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.

  • (dict) --

    Represents an object that contains entries and a targets for HomeDirectoryMappings .

    • Entry (string) -- [REQUIRED]

      Represents an entry and a target for HomeDirectoryMappings .

    • Target (string) -- [REQUIRED]

      Represents the map target that is used in a HomeDirectorymapEntry .

type Policy

string

param Policy

A scope-down policy for your user so you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName} , ${Transfer:HomeDirectory} , and ${Transfer:HomeBucket} .

Note

For scope-down policies, AWS Transfer for SFTP stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.

For an example of a scope-down policy, see "https://docs.aws.amazon.com/transfer/latest/userguide/users.html#users-policies-scope-down">Creating a Scope-Down Policy.

For more information, see "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" in the AWS Security Token Service API Reference .

type Role

string

param Role

[REQUIRED]

The IAM role that controls your user's access to your Amazon S3 bucket. The policies attached to this role will determine the level of access you want to provide your users when transferring files into and out of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship that allows the SFTP server to access your resources when servicing your SFTP user's transfer requests.

type ServerId

string

param ServerId

[REQUIRED]

A system-assigned unique identifier for an SFTP server instance. This is the specific SFTP server that you added your user to.

type SshPublicKeyBody

string

param SshPublicKeyBody

The public portion of the Secure Shell (SSH) key used to authenticate the user to the SFTP server.

type Tags

list

param Tags

Key-value pairs that can be used to group and search for users. Tags are metadata attached to users for any purpose.

  • (dict) --

    Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

    • Key (string) -- [REQUIRED]

      The name assigned to the tag that you create.

    • Value (string) -- [REQUIRED]

      This property contains one or more values that you assigned to the key name you create.

type UserName

string

param UserName

[REQUIRED]

A unique string that identifies a user and is associated with a server as specified by the ServerId . This user name must be a minimum of 3 and a maximum of 32 characters long. The following are valid characters: a-z, A-Z, 0-9, underscore, and hyphen. The user name can't start with a hyphen.

rtype

dict

returns

Response Syntax

{
    'ServerId': 'string',
    'UserName': 'string'
}

Response Structure

  • (dict) --

    • ServerId (string) --

      The ID of the SFTP server that the user is attached to.

    • UserName (string) --

      A unique string that identifies a user account associated with an SFTP server.

DescribeUser (updated) Link ¶
Changes (response)
{'User': {'HomeDirectoryMappings': [{'Entry': 'string', 'Target': 'string'}],
          'HomeDirectoryType': 'PATH | LOGICAL'}}

Describes the user assigned to a specific server, as identified by its ServerId property.

The response from this call returns the properties of the user associated with the ServerId value that was specified.

See also: AWS API Documentation

Request Syntax

client.describe_user(
    ServerId='string',
    UserName='string'
)
type ServerId

string

param ServerId

[REQUIRED]

A system-assigned unique identifier for an SFTP server that has this user assigned.

type UserName

string

param UserName

[REQUIRED]

The name of the user assigned to one or more servers. User names are part of the sign-in credentials to use the AWS Transfer for SFTP service and perform file transfer tasks.

rtype

dict

returns

Response Syntax

{
    'ServerId': 'string',
    'User': {
        'Arn': 'string',
        'HomeDirectory': 'string',
        'HomeDirectoryMappings': [
            {
                'Entry': 'string',
                'Target': 'string'
            },
        ],
        'HomeDirectoryType': 'PATH'|'LOGICAL',
        'Policy': 'string',
        'Role': 'string',
        'SshPublicKeys': [
            {
                'DateImported': datetime(2015, 1, 1),
                'SshPublicKeyBody': 'string',
                'SshPublicKeyId': 'string'
            },
        ],
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'UserName': 'string'
    }
}

Response Structure

  • (dict) --

    • ServerId (string) --

      A system-assigned unique identifier for an SFTP server that has this user assigned.

    • User (dict) --

      An array containing the properties of the user account for the ServerID value that you specified.

      • Arn (string) --

        This property contains the unique Amazon Resource Name (ARN) for the user that was requested to be described.

      • HomeDirectory (string) --

        This property specifies the landing directory (or folder), which is the location that files are written to or read from in an Amazon S3 bucket for the described user. An example is ``/your s3 bucket name /home/username `` .

      • HomeDirectoryMappings (list) --

        Logical directory mappings that you specified for what S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the "Entry " and "Target " pair, where Entry shows how the path is made visible and Target is the actual S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your AWS IAM Role provides access to paths in Target .

        In most cases, you can use this value instead of the scope down policy to lock your user down to the designated home directory ("chroot"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.

        In most cases, you can use this value instead of the scope down policy to lock your user down to the designated home directory ("chroot"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.

        • (dict) --

          Represents an object that contains entries and a targets for HomeDirectoryMappings .

          • Entry (string) --

            Represents an entry and a target for HomeDirectoryMappings .

          • Target (string) --

            Represents the map target that is used in a HomeDirectorymapEntry .

      • HomeDirectoryType (string) --

        The type of landing directory (folder) you mapped for your users' to see when they log into the SFTP server. If you set it to PATH , the user will see the absolute Amazon S3 bucket paths as is in their SFTP clients. If you set it LOGICAL , you will need to provide mappings in the HomeDirectoryMappings for how you want to make S3 paths visible to your user.

      • Policy (string) --

        Specifies the name of the policy in use for the described user.

      • Role (string) --

        This property specifies the IAM role that controls your user's access to your Amazon S3 bucket. The policies attached to this role will determine the level of access you want to provide your users when transferring files into and out of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship that allows the SFTP server to access your resources when servicing your SFTP user's transfer requests.

      • SshPublicKeys (list) --

        This property contains the public key portion of the Secure Shell (SSH) keys stored for the described user.

        • (dict) --

          Provides information about the public Secure Shell (SSH) key that is associated with a user account for a specific server (as identified by ServerId ). The information returned includes the date the key was imported, the public key contents, and the public key ID. A user can store more than one SSH public key associated with their user name on a specific SFTP server.

          • DateImported (datetime) --

            The date that the public key was added to the user account.

          • SshPublicKeyBody (string) --

            The content of the SSH public key as specified by the PublicKeyId .

          • SshPublicKeyId (string) --

            The SshPublicKeyId parameter contains the identifier of the public key.

      • Tags (list) --

        This property contains the key-value pairs for the user requested. Tag can be used to search for and group users for a variety of purposes.

        • (dict) --

          Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

          • Key (string) --

            The name assigned to the tag that you create.

          • Value (string) --

            This property contains one or more values that you assigned to the key name you create.

      • UserName (string) --

        This property is the name of the user that was requested to be described. User names are used for authentication purposes. This is the string that will be used by your user when they log in to your SFTP server.

ListUsers (updated) Link ¶
Changes (response)
{'Users': {'HomeDirectoryType': 'PATH | LOGICAL'}}

Lists the users for the server that you specify by passing the ServerId parameter.

See also: AWS API Documentation

Request Syntax

client.list_users(
    MaxResults=123,
    NextToken='string',
    ServerId='string'
)
type MaxResults

integer

param MaxResults

Specifies the number of users to return as a response to the ListUsers request.

type NextToken

string

param NextToken

When you can get additional results from the ListUsers call, a NextToken parameter is returned in the output. You can then pass in a subsequent command to the NextToken parameter to continue listing additional users.

type ServerId

string

param ServerId

[REQUIRED]

A system-assigned unique identifier for a Secure File Transfer Protocol (SFTP) server that has users assigned to it.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'ServerId': 'string',
    'Users': [
        {
            'Arn': 'string',
            'HomeDirectory': 'string',
            'HomeDirectoryType': 'PATH'|'LOGICAL',
            'Role': 'string',
            'SshPublicKeyCount': 123,
            'UserName': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • NextToken (string) --

      When you can get additional results from the ListUsers call, a NextToken parameter is returned in the output. You can then pass in a subsequent command to the NextToken parameter to continue listing additional users.

    • ServerId (string) --

      A system-assigned unique identifier for an SFTP server that the users are assigned to.

    • Users (list) --

      Returns the user accounts and their properties for the ServerId value that you specify.

      • (dict) --

        Returns properties of the user that you specify.

        • Arn (string) --

          This property is the unique Amazon Resource Name (ARN) for the user that you want to learn about.

        • HomeDirectory (string) --

          This value specifies the location that files are written to or read from an Amazon S3 bucket for the user you specify by their ARN.

        • HomeDirectoryType (string) --

          The type of landing directory (folder) you mapped for your users' home directory. If you set it to PATH , the user will see the absolute Amazon S3 bucket paths as is in their SFTP clients. If you set it LOGICAL , you will need to provide mappings in the HomeDirectoryMappings for how you want to make S3 paths visible to your user.

        • Role (string) --

          The role in use by this user. A role is an AWS Identity and Access Management (IAM) entity that, in this case, allows the SFTP server to act on a user's behalf. It allows the server to inherit the trust relationship that enables that user to perform file operations to their Amazon S3 bucket.

        • SshPublicKeyCount (integer) --

          This value is the number of SSH public keys stored for the user you specified.

        • UserName (string) --

          The name of the user whose ARN was specified. User names are used for authentication purposes.

UpdateUser (updated) Link ¶
Changes (request)
{'HomeDirectoryMappings': [{'Entry': 'string', 'Target': 'string'}],
 'HomeDirectoryType': 'PATH | LOGICAL'}

Assigns new properties to a user. Parameters you pass modify any or all of the following: the home directory, role, and policy for the UserName and ServerId you specify.

The response returns the ServerId and the UserName for the updated user.

See also: AWS API Documentation

Request Syntax

client.update_user(
    HomeDirectory='string',
    HomeDirectoryType='PATH'|'LOGICAL',
    HomeDirectoryMappings=[
        {
            'Entry': 'string',
            'Target': 'string'
        },
    ],
    Policy='string',
    Role='string',
    ServerId='string',
    UserName='string'
)
type HomeDirectory

string

param HomeDirectory

A parameter that specifies the landing directory (folder) for a user when they log in to the server using their client.

An example is <your-Amazon-S3-bucket-name>/home/username .

type HomeDirectoryType

string

param HomeDirectoryType

The type of landing directory (folder) you want your users' home directory to be when they log into the SFTP serve. If you set it to PATH , the user will see the absolute Amazon S3 bucket paths as is in their SFTP clients. If you set it LOGICAL , you will need to provide mappings in the HomeDirectoryMappings for how you want to make S3 paths visible to your user.

type HomeDirectoryMappings

list

param HomeDirectoryMappings

Logical directory mappings that specify what S3 paths and keys should be visible to your user and how you want to make them visible. You will need to specify the "Entry " and "Target " pair, where Entry shows how the path is made visible and Target is the actual S3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that your AWS IAM Role provides access to paths in Target . The following is an example.

'[ "/bucket2/documentation", { "Entry": "your-personal-report.pdf", "Target": "/bucket3/customized-reports/${transfer:UserName}.pdf" } ]'

In most cases, you can use this value instead of the scope down policy to lock your user down to the designated home directory ("chroot"). To do this, you can set Entry to '/' and set Target to the HomeDirectory parameter value.

  • (dict) --

    Represents an object that contains entries and a targets for HomeDirectoryMappings .

    • Entry (string) -- [REQUIRED]

      Represents an entry and a target for HomeDirectoryMappings .

    • Target (string) -- [REQUIRED]

      Represents the map target that is used in a HomeDirectorymapEntry .

type Policy

string

param Policy

Allows you to supply a scope-down policy for your user so you can use the same AWS Identity and Access Management (IAM) role across multiple users. The policy scopes down user access to portions of your Amazon S3 bucket. Variables you can use inside this policy include ${Transfer:UserName} , ${Transfer:HomeDirectory} , and ${Transfer:HomeBucket} .

Note

For scope-down policies, AWS Transfer for SFTP stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.

For an example of a scope-down policy, see "https://docs.aws.amazon.com/transfer/latest/userguide/users.html#users-policies-scope-down">Creating a Scope-Down Policy.

For more information, see "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" in the AWS Security Token Service API Reference .

type Role

string

param Role

The IAM role that controls your user's access to your Amazon S3 bucket. The policies attached to this role will determine the level of access you want to provide your users when transferring files into and out of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship that allows the Secure File Transfer Protocol (SFTP) server to access your resources when servicing your SFTP user's transfer requests.

type ServerId

string

param ServerId

[REQUIRED]

A system-assigned unique identifier for an SFTP server instance that the user account is assigned to.

type UserName

string

param UserName

[REQUIRED]

A unique string that identifies a user and is associated with a server as specified by the ServerId . This is the string that will be used by your user when they log in to your SFTP server. This user name is a minimum of 3 and a maximum of 32 characters long. The following are valid characters: a-z, A-Z, 0-9, underscore, and hyphen. The user name can't start with a hyphen.

rtype

dict

returns

Response Syntax

{
    'ServerId': 'string',
    'UserName': 'string'
}

Response Structure

  • (dict) --

    UpdateUserResponse returns the user name and server identifier for the request to update a user's properties.

    • ServerId (string) --

      A system-assigned unique identifier for an SFTP server instance that the user account is assigned to.

    • UserName (string) --

      The unique identifier for a user that is assigned to the SFTP server instance that was specified in the request.