第一步:
在客户端机器先创建ssh key,登陆机器,然后输入命令:ssh-keygen
找到public key,稍后添加用户时需要。
第二步:
进入AWS Console,IAM,创建Role
具体json如下:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
然后点Next,Add Permission 先忽略,继续Next
给个Role name,然后creat role
回到Role,点选刚创建的Role,Add permisisons --> Create inline policy
具体json如下:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions" ], "Resource": "arn:aws:s3:::your-s3-bucket-name", "Condition": { "StringLike": { "s3:prefix": "your-folder-in-bucket/*" } } }, { "Effect": "Allow", "Action": "s3:星*号", "Resource": "arn:aws:s3:::your-s3-bucket-name/your-folder-in-bucket/*", "Condition": {} } ] }
给polcy一个名字,然后create policy
第三步,创建IAM policy
给个名字,然后create policy
第四步:去Transfer Family界面,点server,然后找到Add user
按要求填好信息
如果报错Permission denied,则检查如下2点
1, Restricted 要打勾
2, 检查IAM Policy里S3路径是否正确
关于添加public key,用puttygen生成的key默认是这样的
添加时需要修改成如下这样,前面加ssh-rsa 空格,全部放一行,不能换行,否则会报格式错误。
2024-4-11 遇到一种情况是S3 bucket是通过KMS用户自定义key加密的情况,Role policy需要添加KMS访问
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DownloadandUpload",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::s3-bucket-name/*”
},
{
"Sid": "ListBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::s3-bucket-name"
},
{
"Sid": "KMSAccess",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:kms-key-arn”
}
]
}
