AWS Transfer for SFTP
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

CreateUser

Creates a user and associates them with an existing Secure File Transfer Protocol (SFTP) server. You can only create and associate users with SFTP servers that have the IdentityProviderType set to SERVICE_MANAGED. Using parameters for CreateUser, you can specify the user name, set the home directory, store the user's public key, and assign the user's AWS Identity and Access Management (IAM) role. You can also optionally add a scope-down policy, and assign metadata with tags that can be used to group and search for users.

Request Syntax

{ "HomeDirectory": "string", "Policy": "string", "Role": "string", "ServerId": "string", "SshPublicKeyBody": "string", "Tags": [ { "Key": "string", "Value": "string" } ], "UserName": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

HomeDirectory

The landing directory (folder) for a user when they log in to the server using their SFTP client. An example is /home/username .

Type: String

Length Constraints: Maximum length of 1024.

Pattern: ^$|/.*

Required: No

Policy

A scope-down policy for your user so you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.

Note

For scope-down policies, AWS Transfer for SFTP stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy argument.

For an example of a scope-down policy, see Creating a Scope-Down Policy.

For more information, see AssumeRole in the AWS Security Token Service API Reference.

Type: String

Required: No

Role

The IAM role that controls your user's access to your Amazon S3 bucket. The policies attached to this role will determine the level of access you want to provide your users when transferring files into and out of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship that allows the SFTP server to access your resources when servicing your SFTP user's transfer requests.

Type: String

Pattern: arn:.*role/.*

Required: Yes

ServerId

A system-assigned unique identifier for an SFTP server instance. This is the specific SFTP server that you added your user to.

Type: String

Pattern: ^s-([0-9a-f]{17})$

Required: Yes

SshPublicKeyBody

The public portion of the Secure Shell (SSH) key used to authenticate the user to the SFTP server.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^ssh-rsa\s+[A-Za-z0-9+/]+[=]{0,3}(\s+.+)?\s*$

Required: No

Tags

Key-value pairs that can be used to group and search for users. Tags are metadata attached to users for any purpose.

Type: Array of Tag objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: No

UserName

A unique string that identifies a user and is associated with a server as specified by the ServerId. This user name must be a minimum of 3 and a maximum of 32 characters long. The following are valid characters: a-z, A-Z, 0-9, underscore, and hyphen. The user name can't start with a hyphen.

Type: String

Pattern: ^[a-zA-Z0-9_][a-zA-Z0-9_-]{2,31}$

Required: Yes

Response Syntax

{ "ServerId": "string", "UserName": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ServerId

The ID of the SFTP server that the user is attached to.

Type: String

Pattern: ^s-([0-9a-f]{17})$

UserName

A unique string that identifies a user account associated with an SFTP server.

Type: String

Pattern: ^[a-zA-Z0-9_][a-zA-Z0-9_-]{2,31}$

Errors

For information about the errors that are common to all actions, see Common Errors.

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer for SFTP service.

HTTP Status Code: 500

InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400

ResourceExistsException

The requested resource does not exist.

HTTP Status Code: 400

ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer for SFTP service.

HTTP Status Code: 400

ServiceUnavailableException

The request has failed because the AWS Transfer for SFTP service is not available.

HTTP Status Code: 500

Examples

Example

The following example associates a user with an SFTP server.

Sample Request

{ "HomeDirectory": "/bucket_name/home/mydirectory", "Policy": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFullAccessToBucket", "Action": [ "s3:*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*" ] } ] }, "SshPublicKeyBody": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCOtfCAis3aHfM6yc8KWAlMQxVDBHyccCde9MdLf4DQNXn8HjAHf+Bc1vGGCAREFUL1NO2PEEKING3ALLOWEDfIf+JBecywfO35Cm6IKIV0JF2YOPXvOuQRs80hQaBUvQL9xw6VEb4xzbit2QB6", "Role": "arn:aws:iam::176354371281:role/SFTP_role", "ServerId": "s-01234567890abcdef", "Tags": [ { "Key": "Group", "Value": "UserGroup1" } ], "UserName": "sftp_user" }

Example

Sample Response

{ "ServerId": "s-01234567890abcdef" "UserName": "sftp_user" }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: