### Configure Public Key Provider Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example configuration for the public key provider. This defines the provider name and specifies the 'public_key' module. ```json { "provider": { "S": "publickeys" }, "config": { "M": { } }, "module": { "S": "public_key" } } ``` -------------------------------- ### Deploy using SAM Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Initiate the SAM deployment with guided configuration. This command requires CAPABILITY_NAMED_IAM. ```bash sam deploy --guided --capabilities "CAPABILITY_NAMED_IAM" ``` -------------------------------- ### Okta User Attributes Mapping Example Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example of how to map Okta user profile attributes to AWS Transfer user attributes for PosixProfile. Ensure 'okta_app_client_id' is set when using this. ```json { "attributes": { "M": { "Gid": { "S": "gidNumber" }, "Uid": { "S": "uidNumber" } } } } ``` -------------------------------- ### IPv4 Allow List Configuration Example Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Specifies a list of IPv4 CIDR-notation addresses allowed to authenticate via this identity provider, providing network-level access control. ```json "ipv4_allow_list": { "SS": [ "10.0.0.0/8", "192.168.1.0/24" ] } ``` -------------------------------- ### Example IPv4 Allow List Configuration Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Defines a list of IPv4 CIDR addresses from which a user is permitted to connect. This is useful for restricting access to specific network ranges. ```json "ipv4_allow_list": { "SS": [ "[CIDR]", "[CIDR]" ] } ``` -------------------------------- ### Argon2 User Record Example Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example of a user record in DynamoDB using the Argon2 identity provider. Includes password hash, home directory configuration, and IP allow list. ```json { "user": { "S": "jsmith" }, "identity_provider_key": { "S": "local_password" }, "config": { "M": { "argon2_hash": { "S": "$argon2i$v=19$m=4096,t=3,p=$argon2i$v=19$m=4096,t=3,p=1$Q1JYWUZvSExndGwxVFBKVDdnUUlUMXpCVlpjTUJibbbbbbbb+2/GwZZmGUN3UiclEIXWX3bbbbbbbbb" }, "HomeDirectoryDetails": { "L": [{ "M": { "Entry": { "S": "/home" }, "Target": { "S": "organization-bucket/users/jsmith" } } }, { "M": { "Entry": { "S": "/finance" }, "Target": { "S": "organization-bucket/departments/finance" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" }, "Role": { "S": "arn:aws:iam::[AWS Account Id]:role/[Role Name]" }, "Policy": { "S": "[Session Policy Statement]" } } }, "ipv4_allow_list": { "SS": [ "172.31.0.0/16", "192.168.10.0/24" ] } } ``` -------------------------------- ### User Record with Public Key Configuration Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example of a user record configured for public key authentication. It includes home directory mappings, POSIX profile, and public keys stored as a string set. ```json { "user": { "S": "jsmith" }, "identity_provider_key": { "S": "publickeys" }, "config": { "M": { "HomeDirectoryDetails": { "L": [ { "M": { "Entry": { "S": "/s3files" }, "Target": { "S": "/[bucketname]/prefix/to/files" } } }, { "M": { "Entry": { "S": "/efs" }, "Target": { "S": "/fs-[efs-fs-id]" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" }, "PosixProfile": { "M": { "Gid": { "S": "1000" }, "Uid": { "S": "1000" } } }, "PublicKeys": { "SS": [ "ssh-ed25519 [PUBLICKEY]", "ssh-rsa [PUBLICKEY]" ] }, "Role": { "S": "arn:aws:iam::[AWS Account Id]:role/[Role Name]" } } }, "ipv4_allow_list": { "SS": [ "0.0.0.0/0" ] } } ``` -------------------------------- ### Example Identity Provider Record Configuration Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md An example of an AWS Transfer Family identity provider record configuration that uses the Secrets Manager module. It specifies a secret prefix and enables public key support. ```json { "provider": { "S": "secrets" }, "config": { "M": { "secret_prefix": { "S": "transfer/" } } }, "module": { "S": "secrets_manager" }, "public_key_support": { "BOOL": true } } ``` -------------------------------- ### Example Curl Output for Successful Connectivity Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md This is an example of the expected output when successfully connecting to the DynamoDB regional endpoint using curl. A successful connection will not result in a timeout and will return an HTTP status code. ```text ➜ ~ curl https://dynamodb.[REGION].amazonaws.com -v * Trying 3.218.182.169:443... * Connected to dynamodb.[REGION].amazonaws.com (3.218.182.169) port 443 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 * ALPN: server accepted http/1.1 * Server certificate: * subject: CN=dynamodb.us-east-1.amazonaws.com * start date: Feb 5 00:00:00 2024 GMT * expire date: Feb 3 23:59:59 2025 GMT * subjectAltName: host "dynamodb.us-east-1.amazonaws.com" matched cert's "dynamodb.us-east-1.amazonaws.com" * issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01 * SSL certificate verify ok. * using HTTP/1.1 > GET / HTTP/1.1 > Host: dynamodb.us-east-1.amazonaws.com > User-Agent: curl/8.4.0 > Accept: */* > < HTTP/1.1 200 OK < Server: Server < Date: Wed, 27 Mar 2024 19:48:28 GMT < Content-***Type:*** text/plain < Content-Length: 42 < Connection: keep-alive < x-amzn-RequestId: ACKLHF5MV4GRO07E4GDI2U5FF3VV4KQNSO5AEMVJF66Q9ASUAAJG < x-amz-crc32: 3128867991 > * Connection #0 to host dynamodb.us-east-1.amazonaws.com left intact healthy: dynamodb.us-east-1.amazonaws.com % ``` -------------------------------- ### User Record with Expiring Public Keys Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example user record demonstrating public keys with expiration timestamps. Public keys are provided as a list of maps, each containing the key and its expiration date. ```json { "user": { "S": "jsmith" }, "identity_provider_key": { "S": "publickeys" }, "config": { "M": { "HomeDirectoryDetails": { "L": [ { "M": { "Entry": { "S": "/s3files" }, "Target": { "S": "/[bucketname]/prefix/to/files" } } }, { "M": { "Entry": { "S": "/efs" }, "Target": { "S": "/fs-[efs-fs-id]" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" }, "PosixProfile": { "M": { "Gid": { "S": "1000" }, "Uid": { "S": "1000" } } }, "PublicKeys": { "L": [ { "M": { "Expires": { "S": "[ISO 8601 datetime]" }, "PublicKey": { "S": "ssh-ed25519 [PUBLICKEY]" } } }, { "M": { "Expires": { "S": "[ISO 8601 datetime]" }, "PublicKey": { "S": "ssh-rsa [PUBLICKEY]" } } } ] }, "Role": { "S": "arn:aws:iam::[AWS Account Id]:role/[Role Name]" } } }, "ipv4_allow_list": { "SS": [ "0.0.0.0/0" ] } } ``` -------------------------------- ### Server Filtering for Home Directory Mapping Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example configuration for HomeDirectoryDetails showing how to map user entries to specific S3 targets based on the connecting server. The 'servers' attribute filters visibility to listed servers; its absence makes the entry visible to all. ```json "HomeDirectoryDetails": { "L": [ { "M": { "Entry": {"S": "/production-data"}, "Target": {"S": "/prod-bucket/data"}, "servers": {"SS": ["s-prod1234567890abc"]} } }, { "M": { "Entry": {"S": "/staging-data"}, "Target": {"S": "/staging-bucket/data"}, "servers": {"SS": ["s-stage234567890ab"]} } }, { "M": { "Entry": {"S": "/shared"}, "Target": {"S": "/shared-bucket/data"} } } ] } ``` -------------------------------- ### Generate Argon2 Hash Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Command-line utility to generate an Argon2 hash for testing. Requires the 'argon2' package to be installed. The generated hash should be pasted into the 'argon2_hash' field of a user record. ```bash unset -v password; set +o allexport; echo "Enter password"; IFS= read -rs password < /dev/tty; printf '%s' "$password" | argon2 $(head /dev/urandom | LC_ALL=C tr -dc A-Za-z0-9 | head -c 32; echo) -e; unset -v password; ``` -------------------------------- ### Example Server ID Allow List Configuration Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Specifies a list of AWS Transfer Family server IDs that a user is allowed to authenticate to. This parameter enhances security by limiting user access to designated servers. ```json "server_id_allow_list": { "SS": [ "s-1234567890abcdef0", "s-abcdef1234567890" ] } ``` -------------------------------- ### User Record Configuration for LDAP IdP Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example JSON record for a user associated with an LDAP identity provider. Defines logical home directory mappings and allowed IP addresses. ```json { "user": { "S": "jsmith" }, "identity_provider_key": { "S": "example.com" }, "config": { "M": { "HomeDirectoryDetails": { "L": [{ "M": { "Entry": { "S": "/home" }, "Target": { "S": "organization-bucket/users/jsmith" } } }, { "M": { "Entry": { "S": "/finance" }, "Target": { "S": "organization-bucket/departments/finance" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" } } }, "ipv4_allow_list": { "SS": [ "0.0.0.0/0" ] } } ``` -------------------------------- ### Example Microsoft Entra ID DynamoDB Record Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md An example of a DynamoDB record for configuring Microsoft Entra ID, specifying a custom authority URL. This record is used to authenticate users via Entra ID. ```json { "provider": { "S": "entra.example.com" }, "config": { "M": { "client_id": { "S": "12345678-1234-1234-1234-123456789012" }, "app_secret_arn": { "S": "arn:aws:secretsmanager:us-west-2:123456789012:secret:entra-app-secret-ABC123" }, "authority_url": { "S": "https://login.microsoftonline.com/tenant-id" } } }, "module": { "S": "entra" } } ``` -------------------------------- ### LDAP Identity Provider Record Configuration Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example JSON record for configuring an LDAP identity provider in AWS Transfer Family. Specifies server details, port, SSL settings, search base, and attribute mappings for UID and GID. ```json { "provider": { "S": "example.com" }, "config": { "M": { "attributes": { "M": { "Gid": { "S": "gidNumber" }, "Role": { "S": "comment" }, "Uid": { "S": "uidNumber" } } }, "ignore_missing_attributes": { "BOOL": false }, "port": { "N": "636" }, "search_base": { "S": "DC=example,DC=com" }, "server": { "S": "ldap.example.com" }, "ssl": { "BOOL": true }, "ssl_verify": { "BOOL": true }, "Role": { "S": "arn:aws:iam::123456789012:role/examplecom-AWSTransferRole" } } }, "module": { "S": "ldap" } } ``` -------------------------------- ### Attribute Mapping for LDAP/AD to AWS Transfer Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md An example of a key/value map to specify how AWS Transfer user attributes should be retrieved from corresponding LDAP or AD attributes. This is useful for mapping attributes like Uid and Gid for PosixProfile. ```json "attributes": { "M": { "Gid": { "S": "gidNumber" }, "Uid": { "S": "uidNumber" } } } ``` -------------------------------- ### Custom Identity Provider User Configuration with Username Mapping Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Example configuration for a user in a custom identity provider. It maps the Transfer Family username 'usertest' to the Cognito username 'user+test@example.com' for authentication, while using 'usertest' for session logging and home directory resolution. ```json { "user": { "S": "usertest" }, "identity_provider_key": { "S": "cognito" }, "idp_username": { "S": "user+test@example.com" }, "config": { "M": { "Role": { "S": "arn:aws:iam::123456789012:role/TransferRole" }, "HomeDirectoryDetails": { "L": [ { "M": { "Entry": { "S": "/" }, "Target": { "S": "/my-bucket/${transfer:UserName}" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" } } } } ``` -------------------------------- ### Cognito Identity Provider Configuration Example Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md This JSON object demonstrates a complete configuration for an AWS Transfer Family custom identity provider using Amazon Cognito. It includes settings for the Cognito user pool client ID, region, client secret ARN, source IP propagation, and MFA. ```json { "provider": { "S": "cognito-pool" }, "config": { "M": { "mfa_token_length": { "N": "6" }, "cognito_client_id": { "S": "353r6nqo4bi6baaaasdf123" }, "cognito_user_pool_region": { "S": "us-east-1" }, "cognito_client_secret_arn": { "S": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cognito-client-secret-AbCdEf" }, "cognito_include_source_ip": { "BOOL": true }, "mfa": { "BOOL": true } } }, "module": { "S": "cognito" } } ``` -------------------------------- ### Build the Solution Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Run the build script to download dependencies and generate archives for the Lambda layer and function. ```bash cd ~/toolkit-for-aws-transfer-family/solutions/custom-idp ./build.sh ``` -------------------------------- ### Clone the Solution Repository Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Clone the solution repository to your environment to begin the deployment process. ```bash cd ~ git clone https://github.com/aws-samples/toolkit-for-aws-transfer-family.git ``` -------------------------------- ### Clone Solution Repository Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Clone the latest version of the solution repository to your environment. This is a prerequisite for updating the solution. ```bash cd ~ rm -rf toolkit-for-aws-transfer-family git clone https://github.com/aws-samples/toolkit-for-aws-transfer-family.git ``` -------------------------------- ### Public Key Configuration (Simple) Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Specifies a list of SSH public keys for user authentication. This is the basic format without expiration. ```json "PublicKeys": { "SS": [ "ssh-ed25519 [PUBLICKEY]", "ssh-rsa [PUBLICKEY]" ] } ``` -------------------------------- ### Update CloudFormation Stack Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Deploy the updated solution by updating the existing CloudFormation stack. Replace '[STACKNAME]' with your stack's name. Ensure you have the necessary IAM capabilities. ```bash sam deploy --stack-name [STACKNAME] --capabilities "CAPABILITY_NAMED_IAM" --resolve-s3 ``` -------------------------------- ### Connect to AWS Transfer Server via SFTP Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Use this command to connect to your AWS Transfer Family server using SFTP with a private key. Replace `path/to/privatekey`, `jsmith`, and `[transfer-server-endpoint-address]` with your specific details. ```bash sftp -i path/to/privatekey jsmith@[transfer-server-endpoint-address] ``` -------------------------------- ### PosixProfile Configuration for EFS Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Defines the PosixProfile for a user when accessing an EFS filesystem. Requires Uid and Gid to be specified. ```json "PosixProfile": { "M": { "Gid": {"S": "[UID]"}, "Uid": {"S": "[GID]"} } } ``` -------------------------------- ### Dynamic User Home Directory Mapping Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Maps a user's logical root directory to a specific S3 bucket and path based on their username. Includes a session policy to restrict S3 access to the user's designated folder. ```json { "user": { "S": "$default$" }, "identity_provider_key": { "S": "domain2019.local" }, "config": { "M": { "HomeDirectoryDetails": { "L": [ { "M": { "Entry": { "S": "/" }, "Target": { "S": "/[BUCKETNAME]/${transfer:UserName}" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" }, "Policy": { "S": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AllowListingOfUserFolder\",\n \"Action\": [\n \"s3:ListBucket\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": [\n \"arn:aws:s3:::[BUCKETNAME]\"\n ],\n \"Condition\": {\n \"StringLike\": {\n \"s3:prefix\": [\n \"${transfer:UserName}/*\",\n \"${transfer:UserName}\"\n ]\n }\n }\n },\n {\n \"Sid\": \"HomeDirObjectAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:PutObject\",\n \"s3:GetObject\",\n \"s3:DeleteObjectVersion\",\n \"s3:DeleteObject\",\n \"s3:GetObjectVersion\",\n \"s3:GetObjectACL\",\n \"s3:PutObjectACL\"\n ],\n \"Resource\": \"arn:aws:s3:::[BUCKETNAME]/${transfer:UserName}/*\"\n }\n ]\n}" }, "Role": { "S": "[IAM ROLE ARN]" } } }, "ipv4_allow_list": { "SS": [ "0.0.0.0/0" ] } } ``` -------------------------------- ### Combined Region and Server Filtering for User Directories Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Configures user home directories based on both the AWS Transfer Family server and the AWS region. Entries require a matching 'servers' and 'regions' attribute to be visible. ```json { "HomeDirectoryDetails": { "L": [ { "M": { "Entry": {"S": "/us-prod"}, "Target": {"S": "/prod-us-east-1/data"}, "regions": {"SS": ["us-east-1"]}, "servers": {"SS": ["s-prod1234567890abc"]} } }, { "M": { "Entry": {"S": "/eu-prod"}, "Target": {"S": "/prod-eu-west-1/data"}, "regions": {"SS": ["eu-west-1"]}, "servers": {"SS": ["s-prod1234567890abc"]} } }, { "M": { "Entry": {"S": "/us-dev"}, "Target": {"S": "/dev-us-east-1/data"}, "regions": {"SS": ["us-east-1"]}, "servers": {"SS": ["s-dev9876543210xyz"]} } } ] } } ``` -------------------------------- ### Server Filtering for User Directories Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Configures user home directories based on the specific AWS Transfer Family server the user connects to. Entries with a 'servers' attribute are only visible on the listed servers. ```json { "user": { "S": "jsmith" }, "identity_provider_key": { "S": "example.com" }, "config": { "M": { "HomeDirectoryDetails": { "L": [ { "M": { "Entry": {"S": "/production-data"}, "Target": {"S": "/prod-bucket/data"}, "servers": {"SS": ["s-prod1234567890abc"]} } }, { "M": { "Entry": {"S": "/staging-data"}, "Target": {"S": "/staging-bucket/data"}, "servers": {"SS": ["s-stage234567890ab"]} } }, { "M": { "Entry": {"S": "/shared"}, "Target": {"S": "/shared-bucket/data"} } } ] }, "HomeDirectoryType": {"S": "LOGICAL"}, "Role": {"S": "arn:aws:iam::123456789012:role/TransferUserRole"} } } } ``` -------------------------------- ### User Record with SERVER_ID for IAM Policy Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md This JSON user record demonstrates how to use the {{SERVER_ID}} variable within the IAM Policy and HomeDirectoryDetails. This allows for dynamic configuration of S3 bucket access and home directory paths based on the connected Transfer Family server. ```json { "user": { "S": "jsmith" }, "identity_provider_key": { "S": "example.com" }, "config": { "M": { "Role": { "S": "arn:aws:iam::123456789012:role/TransferUserRole" }, "Policy": { "S": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowListingOfUserFolder\",\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::company-{{SERVER_ID}}-files\",\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"users/jsmith/*\"]}}},{\"Sid\":\"AllowUserFileAccess\",\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\",\"s3:DeleteObject\"],\"Resource\":\"arn:aws:s3:::company-{{SERVER_ID}}-files/users/jsmith/*\"}]}" }, "HomeDirectoryDetails": { "L": [{ "M": { "Entry": {"S": "/home"}, "Target": {"S": "/company-{{SERVER_ID}}-files/users/jsmith"} } }] }, "HomeDirectoryType": { "S": "LOGICAL" } } } } ``` -------------------------------- ### Public Key Configuration with Expiration Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Configures SSH public keys with optional expiration timestamps in ISO 8601 format. This allows for time-limited key validity. ```json "PublicKeys": { "L": [ { "M": { "Expires": {"S": "[ISO 8601 datetime]"}, "PublicKey": {"S": "ssh-ed25519 [PUBLICKEY]"} } }, { "M": { "Expires": {"S": "[ISO 8601 datetime]"}, "PublicKey": {"S": "ssh-rsa [PUBLICKEY]"} } } ] } ``` -------------------------------- ### Okta Module Configuration Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Configures the Okta module for AWS Transfer Family, enabling MFA, specifying attribute mappings, and setting Okta domain details. Use this to integrate Okta as your identity provider. ```json { "provider": { "S": "okta.example.com" }, "config": { "M": { "attributes": { "M": { "Gid": { "S": "gidNumber" }, "Uid": { "S": "uidNumber" }, "Role": { "S": "AWSTransferRole" }, "Policy": { "S": "AWSTransferScopeDownPolicy" } } }, "ignore_missing_attributes": { "BOOL": false }, "mfa_token_length": { "N": "6" }, "okta_domain": { "S": "dev-xxxxx.okta.com" }, "okta_app_client_id": { "S": "0123abcDE456f78gH9" }, "okta_redirect_uri": { "S": "callback:/awstransfer" }, "mfa": { "BOOL": true } } }, "module": { "S": "okta" } } ``` -------------------------------- ### HomeDirectoryDetails JSON Structure Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Defines the structure for HomeDirectoryDetails, which maps logical directories to actual S3 or EFS paths. Includes optional filtering attributes for regions and servers. ```json "HomeDirectoryDetails": { "L": [ { "M": { "Entry": { "S": "[logical directory name]" }, "Target": { "S": "[S3 or EFS Path]" }, "regions": { "SS": [ "[REGION_CODE]" ] }, "servers": { "SS": [ "[SERVER_ID]" ] } } }, { "M": { "Entry": { "S": "[logical directory name]" }, "Target": { "S": "[S3 or EFS Path]" }, "regions": { "SS": [ "[REGION_CODE]" ] }, "servers": { "SS": [ "[SERVER_ID]" ] } } } ] }, ``` -------------------------------- ### Retrieving Public Keys from LDAP Attributes Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Demonstrates how to configure attribute mapping to retrieve SSH public keys from LDAP attributes. The LDAP attribute value must be a JSON list of keys. ```json ["ssh-ed25519 AAAAC3Nz...."] ``` -------------------------------- ### Okta Provider Configuration Schema Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md DynamoDB record schema for configuring Okta as an identity provider. Includes settings for MFA, attribute mapping, and Okta-specific connection details. ```json { "provider": { "S": "[provider name]" }, "config": { "M": { "attributes": { "M": { "Gid": { "S": "[Okta profile attribute name]" }, "Uid": { "S": "[Okta attribute name]" }, "Role": { "S": "[Okta attribute name]" }, "Policy": { "S": "[Okta attribute name]" } } }, "ignore_missing_attributes": { "BOOL": [true or false] }, "mfa_token_length": { "N": "[token length]" }, "okta_domain": { "S": "[FQDN Okta domain]" }, "okta_app_client_id": { "S": "[app client id]" }, "okta_redirect_uri": { "S": "[okta redirect uri]" }, "mfa": { "BOOL": [true or false] } } }, "module": { "S": "okta" } } ``` -------------------------------- ### Okta User Configuration Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Create this JSON record in the 'users' DynamoDB table to map an Okta user to AWS Transfer Family. Ensure the username matches Okta, and configure the user's home directory and IAM role. ```json { "user": { "S": "{username}" }, "identity_provider_key": { "S": "{provider}" }, "config": { "M": { "HomeDirectoryDetails": { "L": [ { "M": { "Entry": { "S": "{virtual path}" }, "Target": { "S": "{[bucketname/prefix/to/files}" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" }, "Role": { "S": "{arn:aws:iam::[AWS Account Id]:role/[Role Name]}" } } } } ``` -------------------------------- ### Define User in DynamoDB for Entra ID Authentication Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md This JSON defines a user's configuration in the DynamoDB `_users` table for authentication via Entra ID. It includes settings for home directory mapping, POSIX profiles, and allowed IP addresses. Update placeholders with your specific user and resource details. ```json { "user": { "S": "{username}" }, "identity_provider_key": { "S": "{entra_provider}" }, "config": { "M": { "HomeDirectoryDetails": { "L": [ { "M": { "Entry": { "S": "/s3files" }, "Target": { "S": "/[bucketname]/prefix/to/files" } } }, { "M": { "Entry": { "S": "/efs" }, "Target": { "S": "/fs-[efs-fs-id]" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" }, "PosixProfile": { "M": { "Gid": { "S": "1000" }, "Uid": { "S": "1000" } } }, "Role": { "S": "arn:aws:iam::[AWS Account Id]:role/[Role Name]" } } }, "ipv4_allow_list": { "SS": [ "0.0.0.0/0" ] } } ``` -------------------------------- ### Python Code for Generating ISO 8601 Timestamp Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Python code snippet to generate the current UTC time in ISO 8601 format, suitable for the 'Expires' field in PublicKeys configuration. ```python from datetime import datetime, timezone datetime.now(timezone.utc).isoformat() ``` -------------------------------- ### LDAP/Active Directory Attribute Mapping for Default User Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Illustrates an identity provider record for LDAP/Active Directory that retrieves PosixProfile and scoped Policy dynamically. It maps AD/LDAP attributes like uidNumber, gidNumber, and comments to AWS Transfer session configurations. ```json { "provider": { "S": "example.com" }, "config": { "M": { "attributes": { "M": { "Gid": { "S": "gidNumber" }, "Policy": { "S": "comment" }, "Uid": { "S": "uidNumber" } } }, "port": { "N": "636" }, "search_base": { "S": "DC=EXAMPLE,DC=COM" }, "server": { "S": "dc1.example.com" }, "ssl": { "BOOL": true }, "ssl_verify": { "BOOL": false } } }, "module": { "S": "ldap" } } ``` -------------------------------- ### Verify Network Connectivity to AWS Services Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Use curl to test connectivity to AWS service endpoints from within your VPC subnets. This helps diagnose network configuration issues that might cause timeouts. ```bash #!/bin/bash # Replace [REGION] with your AWS region REGION="us-east-1" # Test DynamoDB endpoint curl https://dynamodb.${REGION}.amazonaws.com -v # Test STS endpoint curl https://sts.${REGION}.amazonaws.com -v # Test Secrets Manager endpoint curl https://secretsmanager.${REGION}.amazonaws.com -v ``` -------------------------------- ### DynamoDB Record Schema for Argon2 Module Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md Shows the specific DynamoDB record schema for the Argon2 identity provider module, emphasizing the 'argon2' module name and an empty config. ```json { "provider": { "S": "[provider name]" }, "config": { }, "module": { "S": "argon2" } } ``` -------------------------------- ### User Record with Region Variable Source: https://github.com/aws-samples/toolkit-for-aws-transfer-family/blob/main/solutions/custom-idp/README.md This JSON user record for a custom IdP includes the {{REGION}} variable, which will be replaced with the appropriate AWS region. This allows users to connect to the S3 bucket in the same region as the Transfer Family server. ```json { "user": { "S": "jsmith" }, "identity_provider_key": { "S": "example.com" }, "config": { "M": { "HomeDirectoryDetails": { "L": [{ "M": { "Entry": { "S": "/home" }, "Target": { "S": "/company-files-{{REGION}}/users/jsmith" } } }, { "M": { "Entry": { "S": "/finance" }, "Target": { "S": "/company-files-{{REGION}}/departments/finance" } } } ] }, "HomeDirectoryType": { "S": "LOGICAL" } } } } ```