SFTP Gateway Support

3.0

SFTP Gateway AWS Cross account S3 access

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

An organization may have separate AWS accounts. For example, you might separate Dev and Prod environments. Or, you could have different departments.

Let's say there are two AWS accounts:

  • Dev: you deploy SFTP Gateway to this environment
  • Prod: developers don't have access, but they need to deploy files to an S3 bucket in Prod

  1. First step is to get the EC2 IAM role ARN.

    In CloudFormation, go to the Resources tab, and click the link next to OpenSFTPGWRole (or RestrictedSFTPGWRole, depending on which one you picked)

    Copy the Role ARN of the EC2 IAM role, which in my case was:

    arn:aws:iam::<dev-account>:role/rob-dev-OpenSFTPGWRole-PFHJN29ABTXS

    Note: be careful not to copy the Instance Profile ARN

  2. Second step is to create the Prod S3 bucket.

    Create an S3 bucket -- in my case, I called it:

    rob-sftpgw-prod-bucket

  3. Third step is to configure the Prod S3 bucket.

    • Open the bucket details in the S3 console
    • Click on the Permissions tab
    • Turn off the Block public access setting (you may need to refresh the page afterwards)
    • Click on Bucket Policy
    • Paste in the JSON syntax below (replacing the ARNs and S3 Bucket names with your own)
    • Click Save
    {
    "Version": "2012-10-17",
    "Id": "CrossAccountAccess",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Dev account>:role/rob-dev-OpenSFTPGWRole-PFHJN29ABTXS"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::rob-sftpgw-prod-bucket"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Dev account>:role/rob-dev-OpenSFTPGWRole-PFHJN29ABTXS"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::rob-sftpgw-prod-bucket/*"
        }
    ]
}

    This policy allows ListBucket on the bucket itself.

    It also allows read/write access to the objects within the bucket.

    The Principal is set to the EC2 IAM role within the Dev AWS account.

  4. Fourth step is to configure the SFTP user.

    Using the web admin UI, provision an SFTP user (e.g. robtest).

    Make sure to set the Upload Destination S3 Bucket Name to the Prod S3 bucket.

    SSH into the EC2 instance, and sudo su to root

    Edit the config file for the user:

    vi /home/robtest/.sftpgateway/user.properties

    And append the following line:

    acl.option=7

    Option 7 represents a canned ACL called bucket-owner-full-control. This allows the Prod AWS account to see the S3 object.

At this point, you should be able to SFTP to the robtest account.

Drop files into the /uploads directory, and these files will show up in the Prod account S3 bucket.

From the Prod AWS account, download the file, and verify that you are able to view its contents.

SFTP Gateway Private Key Line BreaksMoving SFTP to Port 2222