AWS Transfer Family

{'EnforceMessageSigning': 'ENABLED | DISABLED',
 'PreserveFilename': 'ENABLED | DISABLED'}

Creates an agreement. An agreement is a bilateral trading partner agreement, or partnership, between an Transfer Family server and an AS2 process. The agreement defines the file and message transfer relationship between the server and the AS2 process. To define an agreement, Transfer Family combines a server, local profile, partner profile, certificate, and other attributes.

The partner is identified with the PartnerProfileId, and the AS2 process is identified with the LocalProfileId.

See also: AWS API Documentation

Request Syntax

client.create_agreement(
    Description='string',
    ServerId='string',
    LocalProfileId='string',
    PartnerProfileId='string',
    BaseDirectory='string',
    AccessRole='string',
    Status='ACTIVE'|'INACTIVE',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    PreserveFilename='ENABLED'|'DISABLED',
    EnforceMessageSigning='ENABLED'|'DISABLED'
)

type Description:

string

param Description:

A name or short description to identify the agreement.

type ServerId:

string

param ServerId:

[REQUIRED]

A system-assigned unique identifier for a server instance. This is the specific server that the agreement uses.

type LocalProfileId:

string

param LocalProfileId:

[REQUIRED]

A unique identifier for the AS2 local profile.

type PartnerProfileId:

string

param PartnerProfileId:

[REQUIRED]

A unique identifier for the partner profile used in the agreement.

type BaseDirectory:

string

param BaseDirectory:

[REQUIRED]

The landing directory (folder) for files transferred by using the AS2 protocol.

A BaseDirectory example is /amzn-s3-demo-bucket/home/mydirectory.

type AccessRole:

string

param AccessRole:

[REQUIRED]

Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.

For AS2 connectors

With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

For SFTP connectors

Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.

type Status:

string

param Status:

The status of the agreement. The agreement can be either ACTIVE or INACTIVE.

type Tags:

list

param Tags:

Key-value pairs that can be used to group and search for agreements.

• (dict) --

  Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

  • Key (string) -- [REQUIRED]

    The name assigned to the tag that you create.

  • Value (string) -- [REQUIRED]

    Contains one or more values that you assigned to the key name you create.

type PreserveFilename:

string

param PreserveFilename:

Determines whether or not Transfer Family appends a unique string of characters to the end of the AS2 message payload filename when saving it.

• ENABLED: the filename provided by your trading parter is preserved when the file is saved.

• DISABLED (default value): when Transfer Family saves the file, the filename is adjusted, as described in File names and locations.

type EnforceMessageSigning:

string

param EnforceMessageSigning:

Determines whether or not unsigned messages from your trading partners will be accepted.

• ENABLED: Transfer Family rejects unsigned messages from your trading partner.

• DISABLED (default value): Transfer Family accepts unsigned messages from your trading partner.

rtype:

dict

returns:

Response Syntax

{
    'AgreementId': 'string'
}

Response Structure

• (dict) --

  • AgreementId (string) --

    The unique identifier for the agreement. Use this ID for deleting, or updating an agreement, as well as in any other API calls that require that you specify the agreement ID.

{'As2Config': {'PreserveContentType': 'ENABLED | DISABLED'}}

Creates the connector, which captures the parameters for a connection for the AS2 or SFTP protocol. For AS2, the connector is required for sending files to an externally hosted AS2 server. For SFTP, the connector is required when sending files to an SFTP server or receiving files from an SFTP server. For more details about connectors, see Configure AS2 connectors and Create SFTP connectors.

See also: AWS API Documentation

Request Syntax

client.create_connector(
    Url='string',
    As2Config={
        'LocalProfileId': 'string',
        'PartnerProfileId': 'string',
        'MessageSubject': 'string',
        'Compression': 'ZLIB'|'DISABLED',
        'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'DES_EDE3_CBC'|'NONE',
        'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
        'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
        'MdnResponse': 'SYNC'|'NONE',
        'BasicAuthSecretId': 'string',
        'PreserveContentType': 'ENABLED'|'DISABLED'
    },
    AccessRole='string',
    LoggingRole='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    SftpConfig={
        'UserSecretId': 'string',
        'TrustedHostKeys': [
            'string',
        ]
    },
    SecurityPolicyName='string'
)

type Url:

string

param Url:

[REQUIRED]

The URL of the partner's AS2 or SFTP endpoint.

type As2Config:

dict

param As2Config:

A structure that contains the parameters for an AS2 connector object.

• LocalProfileId (string) --

  A unique identifier for the AS2 local profile.

• PartnerProfileId (string) --

  A unique identifier for the partner profile for the connector.

• MessageSubject (string) --

  Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.

• Compression (string) --

  Specifies whether the AS2 file is compressed.

• EncryptionAlgorithm (string) --

  The algorithm that is used to encrypt the file.

  Note the following:

  • Do not use the DES_EDE3_CBC algorithm unless you must support a legacy client that requires it, as it is a weak encryption algorithm.

  • You can only specify NONE if the URL for your connector uses HTTPS. Using HTTPS ensures that no traffic is sent in clear text.

• SigningAlgorithm (string) --

  The algorithm that is used to sign the AS2 messages sent with the connector.

• MdnSigningAlgorithm (string) --

  The signing algorithm for the MDN response.

• MdnResponse (string) --

  Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

  • SYNC: The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

  • NONE: Specifies that no MDN response is required.

• BasicAuthSecretId (string) --

  Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.

  The default value for this parameter is null, which indicates that Basic authentication is not enabled for the connector.

  If the connector should use Basic authentication, the secret needs to be in the following format:

  { "Username": "user-name", "Password": "user-password" }

  Replace user-name and user-password with the credentials for the actual user that is being authenticated.

  Note the following:

  • You are storing these credentials in Secrets Manager, not passing them directly into this API.

  • If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.

  If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:

  update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'

• PreserveContentType (string) --

  Allows you to use the Amazon S3 Content-Type that is associated with objects in S3 instead of having the content type mapped based on the file extension. This parameter is enabled by default when you create an AS2 connector from the console, but disabled by default when you create an AS2 connector by calling the API directly.

type AccessRole:

string

param AccessRole:

[REQUIRED]

Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.

For AS2 connectors

With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

For SFTP connectors

Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.

type LoggingRole:

string

param LoggingRole:

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

type Tags:

list

param Tags:

Key-value pairs that can be used to group and search for connectors. Tags are metadata attached to connectors for any purpose.

• (dict) --

  Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

  • Key (string) -- [REQUIRED]

    The name assigned to the tag that you create.

  • Value (string) -- [REQUIRED]

    Contains one or more values that you assigned to the key name you create.

type SftpConfig:

dict

param SftpConfig:

A structure that contains the parameters for an SFTP connector object.

• UserSecretId (string) --

  The identifier for the secret (in Amazon Web Services Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.

• TrustedHostKeys (list) --

  The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.

  The three standard SSH public key format elements are <key type>, <body base64>, and an optional <comment>, with spaces between each element. Specify only the <key type> and <body base64>: do not enter the <comment> portion of the key.

  For the trusted host key, Transfer Family accepts RSA and ECDSA keys.

  • For RSA keys, the <key type> string is ssh-rsa.

  • For ECDSA keys, the <key type> string is either ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key you generated.

  Run this command to retrieve the SFTP server host key, where your SFTP server name is ftp.host.com.

  ssh-keyscan ftp.host.com

  This prints the public host key to standard output.

  ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key

  Copy and paste this string into the TrustedHostKeys field for the create-connector command or into the Trusted host keys field in the console.

  • (string) --

type SecurityPolicyName:

string

param SecurityPolicyName:

Specifies the name of the security policy for the connector.

rtype:

dict

returns:

Response Syntax

{
    'ConnectorId': 'string'
}

Response Structure

• (dict) --

  • ConnectorId (string) --

    The unique identifier for the connector, returned after the API call succeeds.

{'Agreement': {'EnforceMessageSigning': 'ENABLED | DISABLED',
               'PreserveFilename': 'ENABLED | DISABLED'}}

Describes the agreement that's identified by the AgreementId.

See also: AWS API Documentation

Request Syntax

client.describe_agreement(
    AgreementId='string',
    ServerId='string'
)

type AgreementId:

string

param AgreementId:

[REQUIRED]

A unique identifier for the agreement. This identifier is returned when you create an agreement.

type ServerId:

string

param ServerId:

[REQUIRED]

The server identifier that's associated with the agreement.

rtype:

dict

returns:

Response Syntax

{
    'Agreement': {
        'Arn': 'string',
        'AgreementId': 'string',
        'Description': 'string',
        'Status': 'ACTIVE'|'INACTIVE',
        'ServerId': 'string',
        'LocalProfileId': 'string',
        'PartnerProfileId': 'string',
        'BaseDirectory': 'string',
        'AccessRole': 'string',
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'PreserveFilename': 'ENABLED'|'DISABLED',
        'EnforceMessageSigning': 'ENABLED'|'DISABLED'
    }
}

Response Structure

• (dict) --

  • Agreement (dict) --

    The details for the specified agreement, returned as a DescribedAgreement object.

    • Arn (string) --

      The unique Amazon Resource Name (ARN) for the agreement.

    • AgreementId (string) --

      A unique identifier for the agreement. This identifier is returned when you create an agreement.

    • Description (string) --

      The name or short description that's used to identify the agreement.

    • Status (string) --

      The current status of the agreement, either ACTIVE or INACTIVE.

    • ServerId (string) --

      A system-assigned unique identifier for a server instance. This identifier indicates the specific server that the agreement uses.

    • LocalProfileId (string) --

      A unique identifier for the AS2 local profile.

    • PartnerProfileId (string) --

      A unique identifier for the partner profile used in the agreement.

    • BaseDirectory (string) --

      The landing directory (folder) for files that are transferred by using the AS2 protocol.

    • AccessRole (string) --

      Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.

      For AS2 connectors

      With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

      If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

      For SFTP connectors

      Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.

    • Tags (list) --

      Key-value pairs that can be used to group and search for agreements.

      • (dict) --

        Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

        • Key (string) --

          The name assigned to the tag that you create.

        • Value (string) --

          Contains one or more values that you assigned to the key name you create.

    • PreserveFilename (string) --

      Determines whether or not Transfer Family appends a unique string of characters to the end of the AS2 message payload filename when saving it.

      • ENABLED: the filename provided by your trading parter is preserved when the file is saved.

      • DISABLED (default value): when Transfer Family saves the file, the filename is adjusted, as described in File names and locations.

    • EnforceMessageSigning (string) --

      Determines whether or not unsigned messages from your trading partners will be accepted.

      • ENABLED: Transfer Family rejects unsigned messages from your trading partner.

      • DISABLED (default value): Transfer Family accepts unsigned messages from your trading partner.

{'Connector': {'As2Config': {'PreserveContentType': 'ENABLED | DISABLED'}}}

Describes the connector that's identified by the ConnectorId.

See also: AWS API Documentation

Request Syntax

client.describe_connector(
    ConnectorId='string'
)

type ConnectorId:

string

param ConnectorId:

[REQUIRED]

The unique identifier for the connector.

rtype:

dict

returns:

Response Syntax

{
    'Connector': {
        'Arn': 'string',
        'ConnectorId': 'string',
        'Url': 'string',
        'As2Config': {
            'LocalProfileId': 'string',
            'PartnerProfileId': 'string',
            'MessageSubject': 'string',
            'Compression': 'ZLIB'|'DISABLED',
            'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'DES_EDE3_CBC'|'NONE',
            'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
            'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
            'MdnResponse': 'SYNC'|'NONE',
            'BasicAuthSecretId': 'string',
            'PreserveContentType': 'ENABLED'|'DISABLED'
        },
        'AccessRole': 'string',
        'LoggingRole': 'string',
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'SftpConfig': {
            'UserSecretId': 'string',
            'TrustedHostKeys': [
                'string',
            ]
        },
        'ServiceManagedEgressIpAddresses': [
            'string',
        ],
        'SecurityPolicyName': 'string'
    }
}

Response Structure

• (dict) --

  • Connector (dict) --

    The structure that contains the details of the connector.

    • Arn (string) --

      The unique Amazon Resource Name (ARN) for the connector.

    • ConnectorId (string) --

      The unique identifier for the connector.

    • Url (string) --

      The URL of the partner's AS2 or SFTP endpoint.

    • As2Config (dict) --

      A structure that contains the parameters for an AS2 connector object.

      • LocalProfileId (string) --

        A unique identifier for the AS2 local profile.

      • PartnerProfileId (string) --

        A unique identifier for the partner profile for the connector.

      • MessageSubject (string) --

        Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.

      • Compression (string) --

        Specifies whether the AS2 file is compressed.

      • EncryptionAlgorithm (string) --

        The algorithm that is used to encrypt the file.

        Note the following:

        • Do not use the DES_EDE3_CBC algorithm unless you must support a legacy client that requires it, as it is a weak encryption algorithm.

        • You can only specify NONE if the URL for your connector uses HTTPS. Using HTTPS ensures that no traffic is sent in clear text.

      • SigningAlgorithm (string) --

        The algorithm that is used to sign the AS2 messages sent with the connector.

      • MdnSigningAlgorithm (string) --

        The signing algorithm for the MDN response.

      • MdnResponse (string) --

        Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

        • SYNC: The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

        • NONE: Specifies that no MDN response is required.

      • BasicAuthSecretId (string) --

        Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.

        The default value for this parameter is null, which indicates that Basic authentication is not enabled for the connector.

        If the connector should use Basic authentication, the secret needs to be in the following format:

        { "Username": "user-name", "Password": "user-password" }

        Replace user-name and user-password with the credentials for the actual user that is being authenticated.

        Note the following:

        • You are storing these credentials in Secrets Manager, not passing them directly into this API.

        • If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.

        If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:

        update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'

      • PreserveContentType (string) --

        Allows you to use the Amazon S3 Content-Type that is associated with objects in S3 instead of having the content type mapped based on the file extension. This parameter is enabled by default when you create an AS2 connector from the console, but disabled by default when you create an AS2 connector by calling the API directly.

    • AccessRole (string) --

      Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.

      For AS2 connectors

      With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

      If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

      For SFTP connectors

      Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.

    • LoggingRole (string) --

      The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

    • Tags (list) --

      Key-value pairs that can be used to group and search for connectors.

      • (dict) --

        Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

        • Key (string) --

          The name assigned to the tag that you create.

        • Value (string) --

          Contains one or more values that you assigned to the key name you create.

    • SftpConfig (dict) --

      A structure that contains the parameters for an SFTP connector object.

      • UserSecretId (string) --

        The identifier for the secret (in Amazon Web Services Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.

      • TrustedHostKeys (list) --

        The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.

        The three standard SSH public key format elements are <key type>, <body base64>, and an optional <comment>, with spaces between each element. Specify only the <key type> and <body base64>: do not enter the <comment> portion of the key.

        For the trusted host key, Transfer Family accepts RSA and ECDSA keys.

        • For RSA keys, the <key type> string is ssh-rsa.

        • For ECDSA keys, the <key type> string is either ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key you generated.

        Run this command to retrieve the SFTP server host key, where your SFTP server name is ftp.host.com.

        ssh-keyscan ftp.host.com

        This prints the public host key to standard output.

        ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key

        Copy and paste this string into the TrustedHostKeys field for the create-connector command or into the Trusted host keys field in the console.

        • (string) --

    • ServiceManagedEgressIpAddresses (list) --

      The list of egress IP addresses of this connector. These IP addresses are assigned automatically when you create the connector.

      • (string) --

    • SecurityPolicyName (string) --

      The text name of the security policy for the specified connector.

{'EnforceMessageSigning': 'ENABLED | DISABLED',
 'PreserveFilename': 'ENABLED | DISABLED'}

Updates some of the parameters for an existing agreement. Provide the AgreementId and the ServerId for the agreement that you want to update, along with the new values for the parameters to update.

See also: AWS API Documentation

Request Syntax

client.update_agreement(
    AgreementId='string',
    ServerId='string',
    Description='string',
    Status='ACTIVE'|'INACTIVE',
    LocalProfileId='string',
    PartnerProfileId='string',
    BaseDirectory='string',
    AccessRole='string',
    PreserveFilename='ENABLED'|'DISABLED',
    EnforceMessageSigning='ENABLED'|'DISABLED'
)

type AgreementId:

string

param AgreementId:

[REQUIRED]

A unique identifier for the agreement. This identifier is returned when you create an agreement.

type ServerId:

string

param ServerId:

[REQUIRED]

A system-assigned unique identifier for a server instance. This is the specific server that the agreement uses.

type Description:

string

param Description:

To replace the existing description, provide a short description for the agreement.

type Status:

string

param Status:

You can update the status for the agreement, either activating an inactive agreement or the reverse.

type LocalProfileId:

string

param LocalProfileId:

A unique identifier for the AS2 local profile.

To change the local profile identifier, provide a new value here.

type PartnerProfileId:

string

param PartnerProfileId:

A unique identifier for the partner profile. To change the partner profile identifier, provide a new value here.

type BaseDirectory:

string

param BaseDirectory:

To change the landing directory (folder) for files that are transferred, provide the bucket folder that you want to use; for example, ``/amzn-s3-demo-bucket/home/mydirectory ``.

type AccessRole:

string

param AccessRole:

Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.

For AS2 connectors

With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

For SFTP connectors

Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.

type PreserveFilename:

string

param PreserveFilename:

Determines whether or not Transfer Family appends a unique string of characters to the end of the AS2 message payload filename when saving it.

• ENABLED: the filename provided by your trading parter is preserved when the file is saved.

• DISABLED (default value): when Transfer Family saves the file, the filename is adjusted, as described in File names and locations.

type EnforceMessageSigning:

string

param EnforceMessageSigning:

Determines whether or not unsigned messages from your trading partners will be accepted.

• ENABLED: Transfer Family rejects unsigned messages from your trading partner.

• DISABLED (default value): Transfer Family accepts unsigned messages from your trading partner.

rtype:

dict

returns:

Response Syntax

{
    'AgreementId': 'string'
}

Response Structure

• (dict) --

  • AgreementId (string) --

    A unique identifier for the agreement. This identifier is returned when you create an agreement.

{'As2Config': {'PreserveContentType': 'ENABLED | DISABLED'}}

Updates some of the parameters for an existing connector. Provide the ConnectorId for the connector that you want to update, along with the new values for the parameters to update.

See also: AWS API Documentation

Request Syntax

client.update_connector(
    ConnectorId='string',
    Url='string',
    As2Config={
        'LocalProfileId': 'string',
        'PartnerProfileId': 'string',
        'MessageSubject': 'string',
        'Compression': 'ZLIB'|'DISABLED',
        'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'DES_EDE3_CBC'|'NONE',
        'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
        'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
        'MdnResponse': 'SYNC'|'NONE',
        'BasicAuthSecretId': 'string',
        'PreserveContentType': 'ENABLED'|'DISABLED'
    },
    AccessRole='string',
    LoggingRole='string',
    SftpConfig={
        'UserSecretId': 'string',
        'TrustedHostKeys': [
            'string',
        ]
    },
    SecurityPolicyName='string'
)

type ConnectorId:

string

param ConnectorId:

[REQUIRED]

The unique identifier for the connector.

type Url:

string

param Url:

The URL of the partner's AS2 or SFTP endpoint.

type As2Config:

dict

param As2Config:

A structure that contains the parameters for an AS2 connector object.

• LocalProfileId (string) --

  A unique identifier for the AS2 local profile.

• PartnerProfileId (string) --

  A unique identifier for the partner profile for the connector.

• MessageSubject (string) --

  Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.

• Compression (string) --

  Specifies whether the AS2 file is compressed.

• EncryptionAlgorithm (string) --

  The algorithm that is used to encrypt the file.

  Note the following:

  • Do not use the DES_EDE3_CBC algorithm unless you must support a legacy client that requires it, as it is a weak encryption algorithm.

  • You can only specify NONE if the URL for your connector uses HTTPS. Using HTTPS ensures that no traffic is sent in clear text.

• SigningAlgorithm (string) --

  The algorithm that is used to sign the AS2 messages sent with the connector.

• MdnSigningAlgorithm (string) --

  The signing algorithm for the MDN response.

• MdnResponse (string) --

  Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

  • SYNC: The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

  • NONE: Specifies that no MDN response is required.

• BasicAuthSecretId (string) --

  Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.

  The default value for this parameter is null, which indicates that Basic authentication is not enabled for the connector.

  If the connector should use Basic authentication, the secret needs to be in the following format:

  { "Username": "user-name", "Password": "user-password" }

  Replace user-name and user-password with the credentials for the actual user that is being authenticated.

  Note the following:

  • You are storing these credentials in Secrets Manager, not passing them directly into this API.

  • If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.

  If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:

  update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'

• PreserveContentType (string) --

  Allows you to use the Amazon S3 Content-Type that is associated with objects in S3 instead of having the content type mapped based on the file extension. This parameter is enabled by default when you create an AS2 connector from the console, but disabled by default when you create an AS2 connector by calling the API directly.

type AccessRole:

string

param AccessRole:

Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.

For AS2 connectors

With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

For SFTP connectors

Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.

type LoggingRole:

string

param LoggingRole:

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

type SftpConfig:

dict

param SftpConfig:

A structure that contains the parameters for an SFTP connector object.

• UserSecretId (string) --

  The identifier for the secret (in Amazon Web Services Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.

• TrustedHostKeys (list) --

  The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.

  The three standard SSH public key format elements are <key type>, <body base64>, and an optional <comment>, with spaces between each element. Specify only the <key type> and <body base64>: do not enter the <comment> portion of the key.

  For the trusted host key, Transfer Family accepts RSA and ECDSA keys.

  • For RSA keys, the <key type> string is ssh-rsa.

  • For ECDSA keys, the <key type> string is either ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key you generated.

  Run this command to retrieve the SFTP server host key, where your SFTP server name is ftp.host.com.

  ssh-keyscan ftp.host.com

  This prints the public host key to standard output.

  ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key

  Copy and paste this string into the TrustedHostKeys field for the create-connector command or into the Trusted host keys field in the console.

  • (string) --

type SecurityPolicyName:

string

param SecurityPolicyName:

Specifies the name of the security policy for the connector.

rtype:

dict

returns:

Response Syntax

{
    'ConnectorId': 'string'
}

Response Structure

• (dict) --

  • ConnectorId (string) --

    Returns the identifier of the connector object that you are updating.