Setting up an SFTP Access to Amazon S3
Note that WinSCP supports a direct access to S3 storage.
If you need to access/manage files stored on Amazon S3 (Simple Storage Service) bucket via SFTP, there are two options. You can use a native managed SFTP service recently added by Amazon (which is easier to set up). Or you can mount the bucket to a file system on a Linux server and access the files using the SFTP as any other files on the server (which gives you greater control).
Advertisement
Managed SFTP Service
Creating Managed SFTP Server
- To create a Managed SFTP server for S3, in your Amazon AWS Console, go to AWS Transfer for SFTP and create a new server (you can keep server options to their defaults for a start).
- In SFTP server page, add a new SFTP user (or users).
- Permissions of users are governed by an associated AWS role in IAM service. To create a role which has a full access to all your S3 buckets, just create an S3 service role with AmazonS3FullAccess policy.
The role must have trust relationship totransfer.amazonaws.com. On a role page, select Trust relationships tab, click Edit trust relationship button, and in the access control policy JSON document, changeStatement[].Principal.Servicevalue totransfer.amazonaws.com:1
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
- Generate a key pair for your new user and paste public key fingerprint to SSH public keys box (use the format you would otherwise use for OpenSSH
authorized_keysfile).
- Permissions of users are governed by an associated AWS role in IAM service. To create a role which has a full access to all your S3 buckets, just create an S3 service role with AmazonS3FullAccess policy.
Connecting to Managed SFTP Server
You can connect to the managed SFTP server as to any other SFTP server.
Advertisement
The host name of the server can be found on the server page as Endpoint in a format server_id.server.transfer.region.amazonaws.com.
Mounting Bucket to Linux Server
This guide shows how to mount the S3 bucket using s3fs file system to an Amazon EC2 server and access it using WinSCP.
Creating Access Server
If you do not have a Linux server available for the mounting, launch a new Amazon EC2 server.
A basic Amazon Linux AMI (free tier eligible) server will generally suffice and the following instructions are tested on this distribution. Instructions for other distributions may differ.
Installing s3fs
Start by installing s3fs file system.
Mounting S3 Bucket to File System
- Switch to
root:
sudo su - Store security credentials that will be used to access the S3 bucket to
/etc/passwd-s3fs:
echo <access-key-id>:<secret-access-key> > /etc/passwd-s3fs
chmod 600 /etc/passwd-s3fs
(Replace the<access-key-id>and<secret-access-key>with the actual values) - Create mount point (example):
mkdir /mnt/<bucket> - Add entry to
fstabto mount the bucket:
echo s3fs#<bucket> /mnt/<bucket> fuse _netdev,rw,nosuid,nodev,allow_other,nonempty 0 0 >> /etc/fstab
(Replace the leading<bucket>with your bucket name and the/mnt/<bucket>with the mount point) - Mount the bucket:
mount -a
Connecting to the Access Server to Manage the Bucket
- Learn how to connect securely to Amazon EC2 server with SFTP.
- Once connected, navigate to the mount point (e.g.
/mnt/<bucket>folder).
Further reading
- Guide to uploading files to SFTP server;
- Guide to automating operations (including upload).
- Based on the answer by @ChristopherTull to Connecting to AWS Transfer for SFTP on Stack Overflow.Back