AWS Transfer Family

2023/07/25 - AWS Transfer Family - 1 new4 updated api methods

Changes  This release adds support for SFTP Connectors.

TestConnection (new) Link ¶

Tests whether your SFTP connector is set up successfully. We highly recommend that you call this operation to test your ability to transfer files between a Transfer Family server and a trading partner's SFTP server.

See also: AWS API Documentation

Request Syntax

client.test_connection(
    ConnectorId='string'
)
type ConnectorId:

string

param ConnectorId:

[REQUIRED]

The unique identifier for the connector.

rtype:

dict

returns:

Response Syntax

{
    'ConnectorId': 'string',
    'Status': 'string',
    'StatusMessage': 'string'
}

Response Structure

  • (dict) --

    • ConnectorId (string) --

      Returns the identifier of the connector object that you are testing.

    • Status (string) --

      Returns OK for successful test, or ERROR if the test fails.

    • StatusMessage (string) --

      Returns Connection succeeded if the test is successful. Or, returns a descriptive error message if the test fails. The following list provides the details for some error messages and troubleshooting steps for each.

      • Unable to access secrets manager: Verify that your secret name aligns with the one in Transfer Role permissions.

      • Unknown Host/Connection failed: Verify the server URL in the connector configuration , and verify that the login credentials work successfully outside of the connector.

      • Private key not found: Verify that the secret exists and is formatted correctly.

      • Invalid trusted host keys: Verify that the trusted host key in the connector configuration matches the ssh-keyscan output.

CreateConnector (updated) Link ¶
Changes (request)
{'SftpConfig': {'TrustedHostKeys': ['string'], 'UserSecretId': 'string'}}

Creates the connector, which captures the parameters for an outbound connection for the AS2 or SFTP protocol. The connector is required for sending files to an externally hosted AS2 or SFTP server. For more details about AS2 connectors, see Create AS2 connectors.

See also: AWS API Documentation

Request Syntax

client.create_connector(
    Url='string',
    As2Config={
        'LocalProfileId': 'string',
        'PartnerProfileId': 'string',
        'MessageSubject': 'string',
        'Compression': 'ZLIB'|'DISABLED',
        'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'NONE',
        'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
        'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
        'MdnResponse': 'SYNC'|'NONE',
        'BasicAuthSecretId': 'string'
    },
    AccessRole='string',
    LoggingRole='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    SftpConfig={
        'UserSecretId': 'string',
        'TrustedHostKeys': [
            'string',
        ]
    }
)
type Url:

string

param Url:

[REQUIRED]

The URL of the partner's AS2 or SFTP endpoint.

type As2Config:

dict

param As2Config:

A structure that contains the parameters for an AS2 connector object.

  • LocalProfileId (string) --

    A unique identifier for the AS2 local profile.

  • PartnerProfileId (string) --

    A unique identifier for the partner profile for the connector.

  • MessageSubject (string) --

    Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.

  • Compression (string) --

    Specifies whether the AS2 file is compressed.

  • EncryptionAlgorithm (string) --

    The algorithm that is used to encrypt the file.

  • SigningAlgorithm (string) --

    The algorithm that is used to sign the AS2 messages sent with the connector.

  • MdnSigningAlgorithm (string) --

    The signing algorithm for the MDN response.

  • MdnResponse (string) --

    Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

    • SYNC: The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

    • NONE: Specifies that no MDN response is required.

  • BasicAuthSecretId (string) --

    Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.

    The default value for this parameter is null, which indicates that Basic authentication is not enabled for the connector.

    If the connector should use Basic authentication, the secret needs to be in the following format:

    { "Username": "user-name", "Password": "user-password" }

    Replace user-name and user-password with the credentials for the actual user that is being authenticated.

    Note the following:

    • You are storing these credentials in Secrets Manager, not passing them directly into this API.

    • If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.

    If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:

    update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'

type AccessRole:

string

param AccessRole:

[REQUIRED]

With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

type LoggingRole:

string

param LoggingRole:

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

type Tags:

list

param Tags:

Key-value pairs that can be used to group and search for connectors. Tags are metadata attached to connectors for any purpose.

  • (dict) --

    Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

    • Key (string) -- [REQUIRED]

      The name assigned to the tag that you create.

    • Value (string) -- [REQUIRED]

      Contains one or more values that you assigned to the key name you create.

type SftpConfig:

dict

param SftpConfig:

A structure that contains the parameters for an SFTP connector object.

  • UserSecretId (string) --

    The identifiers for the secrets (in Amazon Web Services Secrets Manager) that contain the SFTP user's private keys or passwords.

  • TrustedHostKeys (list) --

    The public portion of the host key, or keys, that are used to authenticate the user to the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.

    The three standard SSH public key format elements are <key type>, <body base64>, and an optional <comment>, with spaces between each element.

    For the trusted host key, Transfer Family accepts RSA and ECDSA keys.

    • For RSA keys, the key type is ssh-rsa.

    • For ECDSA keys, the key type is either ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key you generated.

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'ConnectorId': 'string'
}

Response Structure

  • (dict) --

    • ConnectorId (string) --

      The unique identifier for the connector, returned after the API call succeeds.

DescribeConnector (updated) Link ¶
Changes (response)
{'Connector': {'SftpConfig': {'TrustedHostKeys': ['string'],
                              'UserSecretId': 'string'}}}

Describes the connector that's identified by the ConnectorId.

See also: AWS API Documentation

Request Syntax

client.describe_connector(
    ConnectorId='string'
)
type ConnectorId:

string

param ConnectorId:

[REQUIRED]

The unique identifier for the connector.

rtype:

dict

returns:

Response Syntax

{
    'Connector': {
        'Arn': 'string',
        'ConnectorId': 'string',
        'Url': 'string',
        'As2Config': {
            'LocalProfileId': 'string',
            'PartnerProfileId': 'string',
            'MessageSubject': 'string',
            'Compression': 'ZLIB'|'DISABLED',
            'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'NONE',
            'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
            'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
            'MdnResponse': 'SYNC'|'NONE',
            'BasicAuthSecretId': 'string'
        },
        'AccessRole': 'string',
        'LoggingRole': 'string',
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'SftpConfig': {
            'UserSecretId': 'string',
            'TrustedHostKeys': [
                'string',
            ]
        }
    }
}

Response Structure

  • (dict) --

    • Connector (dict) --

      The structure that contains the details of the connector.

      • Arn (string) --

        The unique Amazon Resource Name (ARN) for the connector.

      • ConnectorId (string) --

        The unique identifier for the connector.

      • Url (string) --

        The URL of the partner's AS2 or SFTP endpoint.

      • As2Config (dict) --

        A structure that contains the parameters for an AS2 connector object.

        • LocalProfileId (string) --

          A unique identifier for the AS2 local profile.

        • PartnerProfileId (string) --

          A unique identifier for the partner profile for the connector.

        • MessageSubject (string) --

          Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.

        • Compression (string) --

          Specifies whether the AS2 file is compressed.

        • EncryptionAlgorithm (string) --

          The algorithm that is used to encrypt the file.

        • SigningAlgorithm (string) --

          The algorithm that is used to sign the AS2 messages sent with the connector.

        • MdnSigningAlgorithm (string) --

          The signing algorithm for the MDN response.

        • MdnResponse (string) --

          Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

          • SYNC: The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

          • NONE: Specifies that no MDN response is required.

        • BasicAuthSecretId (string) --

          Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.

          The default value for this parameter is null, which indicates that Basic authentication is not enabled for the connector.

          If the connector should use Basic authentication, the secret needs to be in the following format:

          { "Username": "user-name", "Password": "user-password" }

          Replace user-name and user-password with the credentials for the actual user that is being authenticated.

          Note the following:

          • You are storing these credentials in Secrets Manager, not passing them directly into this API.

          • If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.

          If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:

          update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'

      • AccessRole (string) --

        With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

        If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

      • LoggingRole (string) --

        The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

      • Tags (list) --

        Key-value pairs that can be used to group and search for connectors.

        • (dict) --

          Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

          • Key (string) --

            The name assigned to the tag that you create.

          • Value (string) --

            Contains one or more values that you assigned to the key name you create.

      • SftpConfig (dict) --

        A structure that contains the parameters for an SFTP connector object.

        • UserSecretId (string) --

          The identifiers for the secrets (in Amazon Web Services Secrets Manager) that contain the SFTP user's private keys or passwords.

        • TrustedHostKeys (list) --

          The public portion of the host key, or keys, that are used to authenticate the user to the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.

          The three standard SSH public key format elements are <key type>, <body base64>, and an optional <comment>, with spaces between each element.

          For the trusted host key, Transfer Family accepts RSA and ECDSA keys.

          • For RSA keys, the key type is ssh-rsa.

          • For ECDSA keys, the key type is either ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key you generated.

          • (string) --

StartFileTransfer (updated) Link ¶
Changes (request)
{'LocalDirectoryPath': 'string',
 'RemoteDirectoryPath': 'string',
 'RetrieveFilePaths': ['string']}

Begins a file transfer between local Amazon Web Services storage and a remote AS2 or SFTP server.

  • For an AS2 connector, you specify the ConnectorId and one or more SendFilePaths to identify the files you want to transfer.

  • For an SFTP connector, the file transfer can be either outbound or inbound. In both cases, you specify the ConnectorId. Depending on the direction of the transfer, you also specify the following items:

    • If you are transferring file from a partner's SFTP server to a Transfer Family server, you specify one or more RetreiveFilePaths to identify the files you want to transfer, and a LocalDirectoryPath to specify the destination folder.

    • If you are transferring file to a partner's SFTP server from Amazon Web Services storage, you specify one or more SendFilePaths to identify the files you want to transfer, and a RemoteDirectoryPath to specify the destination folder.

See also: AWS API Documentation

Request Syntax

client.start_file_transfer(
    ConnectorId='string',
    SendFilePaths=[
        'string',
    ],
    RetrieveFilePaths=[
        'string',
    ],
    LocalDirectoryPath='string',
    RemoteDirectoryPath='string'
)
type ConnectorId:

string

param ConnectorId:

[REQUIRED]

The unique identifier for the connector.

type SendFilePaths:

list

param SendFilePaths:

One or more source paths for the Transfer Family server. Each string represents a source file path for one outbound file transfer. For example, ``DOC-EXAMPLE-BUCKET/myfile.txt ``.

  • (string) --

type RetrieveFilePaths:

list

param RetrieveFilePaths:

One or more source paths for the partner's SFTP server. Each string represents a source file path for one inbound file transfer.

  • (string) --

type LocalDirectoryPath:

string

param LocalDirectoryPath:

For an inbound transfer, the LocaDirectoryPath specifies the destination for one or more files that are transferred from the partner's SFTP server.

type RemoteDirectoryPath:

string

param RemoteDirectoryPath:

For an outbound transfer, the RemoteDirectoryPath specifies the destination for one or more files that are transferred to the partner's SFTP server. If you don't specify a RemoteDirectoryPath, the destination for transferred files is the SFTP user's home directory.

rtype:

dict

returns:

Response Syntax

{
    'TransferId': 'string'
}

Response Structure

  • (dict) --

    • TransferId (string) --

      Returns the unique identifier for the file transfer.

UpdateConnector (updated) Link ¶
Changes (request)
{'SftpConfig': {'TrustedHostKeys': ['string'], 'UserSecretId': 'string'}}

Updates some of the parameters for an existing connector. Provide the ConnectorId for the connector that you want to update, along with the new values for the parameters to update.

See also: AWS API Documentation

Request Syntax

client.update_connector(
    ConnectorId='string',
    Url='string',
    As2Config={
        'LocalProfileId': 'string',
        'PartnerProfileId': 'string',
        'MessageSubject': 'string',
        'Compression': 'ZLIB'|'DISABLED',
        'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'NONE',
        'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
        'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
        'MdnResponse': 'SYNC'|'NONE',
        'BasicAuthSecretId': 'string'
    },
    AccessRole='string',
    LoggingRole='string',
    SftpConfig={
        'UserSecretId': 'string',
        'TrustedHostKeys': [
            'string',
        ]
    }
)
type ConnectorId:

string

param ConnectorId:

[REQUIRED]

The unique identifier for the connector.

type Url:

string

param Url:

The URL of the partner's AS2 or SFTP endpoint.

type As2Config:

dict

param As2Config:

A structure that contains the parameters for an AS2 connector object.

  • LocalProfileId (string) --

    A unique identifier for the AS2 local profile.

  • PartnerProfileId (string) --

    A unique identifier for the partner profile for the connector.

  • MessageSubject (string) --

    Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.

  • Compression (string) --

    Specifies whether the AS2 file is compressed.

  • EncryptionAlgorithm (string) --

    The algorithm that is used to encrypt the file.

  • SigningAlgorithm (string) --

    The algorithm that is used to sign the AS2 messages sent with the connector.

  • MdnSigningAlgorithm (string) --

    The signing algorithm for the MDN response.

  • MdnResponse (string) --

    Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

    • SYNC: The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

    • NONE: Specifies that no MDN response is required.

  • BasicAuthSecretId (string) --

    Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.

    The default value for this parameter is null, which indicates that Basic authentication is not enabled for the connector.

    If the connector should use Basic authentication, the secret needs to be in the following format:

    { "Username": "user-name", "Password": "user-password" }

    Replace user-name and user-password with the credentials for the actual user that is being authenticated.

    Note the following:

    • You are storing these credentials in Secrets Manager, not passing them directly into this API.

    • If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.

    If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:

    update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'

type AccessRole:

string

param AccessRole:

With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths. We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt, parent directory is /bucket/dir/) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.

type LoggingRole:

string

param LoggingRole:

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

type SftpConfig:

dict

param SftpConfig:

A structure that contains the parameters for an SFTP connector object.

  • UserSecretId (string) --

    The identifiers for the secrets (in Amazon Web Services Secrets Manager) that contain the SFTP user's private keys or passwords.

  • TrustedHostKeys (list) --

    The public portion of the host key, or keys, that are used to authenticate the user to the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.

    The three standard SSH public key format elements are <key type>, <body base64>, and an optional <comment>, with spaces between each element.

    For the trusted host key, Transfer Family accepts RSA and ECDSA keys.

    • For RSA keys, the key type is ssh-rsa.

    • For ECDSA keys, the key type is either ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521, depending on the size of the key you generated.

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'ConnectorId': 'string'
}

Response Structure

  • (dict) --

    • ConnectorId (string) --

      Returns the identifier of the connector object that you are updating.