I want to grant users the permissions to work with AWS Transfer for SFTP (SSH File Transfer Protocol). I want to create an AWS Identity and Access Management (IAM) role with those permissions. How can I create this IAM role using the AWS Command Line Interface (AWS CLI)?

Because AWS SFTP works with Amazon Simple Storage Service (Amazon S3) objects on behalf of your users, the IAM role for your AWS SFTP users must:

  • Allow AWS SFTP to assume the role of your users.
  • Allow your users to access Amazon S3.

Important: Before you begin, you must have the AWS CLI installed and configured.

Follow these steps to create an IAM role for your AWS SFTP users with the AWS CLI:

1.    From the command prompt of your terminal, create a text file named "transfer-trust-relationship.json" that contains the following text. This statement allows AWS SFTP to assume a role.


"Version": "2012-10-17",
"Statement": [
      "Effect": "Allow",
      "Principal": {
            "Service": "transfer.amazonaws.com"
      "Action": "sts:AssumeRole",
      "Condition": {}

2.    Run this AWS CLI command to create an IAM role that includes the statement that you created:

aws iam create-role --role-name myAWSTransferUserRole --assume-role-policy-document file://transfer-trust-relationship.json --description "Access to my AWS resources for my AWS Transfer users"

3.    Attach a policy to the IAM role that defines the Amazon S3 access that you want your AWS SFTP users to have. For example, if you want your AWS SFTP users to have read access to all your S3 buckets, run this command to attach an AWS managed policy:

aws iam attach-role-policy --role-name myAWSTransferUserRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Note: To grant users full access to Amazon S3, you can attach the "AmazonS3FullAccess" AWS managed policy. Or, you can write a custom policy.

After you set up the IAM role for your AWS SFTP users, you can proceed to create an SFTP server.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-12-21