I have created an AWS transfer family SFTP server which is using a lambda function for authentication. When I try to login into the SFTP. I am getting the following error:
"method": "password",
"activity-type": "AUTH_FAILURE",
"source-ip": "172.105.39.41",
"resource-arn": "arn:aws:transfer:us-east-2:123456789012:server/s-123456",
"message": "Unable to invoke Lambda function: arn:aws:lambda:us-east-2: 123456789012:function:SFTP-Lambda",
"user": "user"
The lambda has the following Invoke permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-2:123456789012:function:SFTP-Lambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:transfer:us-east-2:123456789012:server/s-123456"
}
}
}
]
}
Can someone please what needs to be added here so that I can use the lambda for authentication.?
I am trying to follow the following documentation, but looks like the IAM permissions provided is not working as expected: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
2
Answers
You seem to have confused the SourceArn of the Lambda resource policy. You are referencing the lambda itself instead of the SFTP server
Have you assigned the permission to run the lambda to the transfer service?
aws lambda add-permission –function-name –action lambda:InvokeFunction –statement-id transfer –principal transfer.amazonaws.com –output text