Aws-cli: aws transfer create-user does not accept policy ARN

@amcquade - Thanks for reaching out. The request accepts the data in JSON format. Providing the output from adding --debug to the command will help us understand if there is another issue or bug in the CLI.

@justnance this does not really answer my question. I understand the request can be process entirely in JSON, however no where in the documentation does it specify that for the --policy argument. For example, if i run aws transfer create-user --debug --home-directory /sftp.hostname.com/policytest --policy arn:aws:iam::xxxxxxxxxxxx:policy/SFTPScopeDown --role arn:aws:iam::xxxxxxxxxxxx:role/SFTPRole --server-id s-12345xxx --user-name policytest --ssh-public-key-body "$(< key.pub)" the command will add this user successfully, but set the policy as "arn:aws:iam::xxxxxxxxxxxx:policy/SFTPScopeDown", instead of setting the policy attached to the ARN, like the screenshot attached below.

Same issue.
No where in the documentation it says clearly how --policy will work. even in the sample example it is left out. Policy name and arn doesnt work.

You are correct - the --policy instructions are not clear for this command. I contacted the writer for the Transfer service and requested that they add more information about that.

The parameter takes the actual policy text as a JSON string. It does not take the ARN of an existing policy. Because including a JSON string on a command line is awkward at best (you have to escape all the double-quotes, for example), you can instead store the policy text in a file on disk and then reference that file using the file://_mypolicyfilename_.json syntax. I believe that it works identically to the "policy-document" parameter on the IAM create-policy command. You can see that command here: https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html. That page has much more information about how to use that parameter successfully.

I hope this helps!
Dave

Thanks @bisdavid That worked.

Could you also shed some light on using

Variables you can use inside this policy include ${Transfer:UserName} , ${Transfer:HomeDirectory} , and ${Transfer:HomeBucket} .

i have tried it but didnt work for me. the policy has it literally intead of the value

Thanks @bisdavid! I think some more guidance in the documentation will go a long way, but it would be a really nice feature to be able to just pass the ARN.

@citrocity the variables wont be replaced with the actual values when you view the policy in the SFTP console, but they will work whenever you are actually connecting to the service as that user.

Glad it helped! I'll pass your feedback on to the team.

Thanks @bisdavid. A formal ticket has been passed onto our doc writer team for follow up on this issue.

@amcquade - Thanks again for reporting this issue. I am reviewing whether or not passing the ARN could be a feature request.

Thanks @bisdavid! I think some more guidance in the documentation will go a long way, but it would be a really nice feature to be able to just pass the ARN.

@citrocity the variables wont be replaced with the actual values when you view the policy in the SFTP console, but they will work whenever you are actually connecting to the service as that user.

I tried but found that it doesn't work.
On AWS CLI i am:

• creating a bucket named userA
• creating a policy named sftp-userA with list access and read/write access to bucket UserA (this is where i am using: Resource: "arn:aws:s3:::${Transfer:UserName}"
• Attaching the above policy to assume transfer role
• creating transfer user called userA and adding the above policy and adding user home directory.

The user can login but no access.

If i replace ${Transfer:UserName} in the policy with the name userA, the user can read/write but with the variable it doesnt work.

@citrocity im using the policy exactly as written found here. Make sure the role you are giving to users has access to the S3 bucket and actions. The only other advice I have is to lowercase the 'T' in transfer.