I need to use IoT core MQTT but it need to attach IoT policy to the identity in order to access MQTT.
From aws doc, it can be done by calling the AttachPolicy API. But I am struggling to use it successfully(see my other post). So I am trying alternative solution to assign user a specific identity and I attach the IoT policy through AWS CLI mannually.
I know that identity will be created when GetId is called. But in my app I am using Amplify.Auth to sign up or sign in. I look through the doc and doesn't seem it mentioned when was GetId called.
Is it possible to assign a specfic identity to user when he/she is signed up or signed in?
I am not 100% confident what you are looking for but, I have set up this before. can it give you a hint?
Related
I am building a multi-tenancy SaaS with AWS (Cognito, API Gateway, Amplify). I am planning to create API keys/secrets for my tenants and trying to figure out the whole process. However, I could find a clear document from AWS.
So I use custom-attribute-based multi-tenancy with Cognito. 2 questions here:
What is the best practice to manage API keys/secrets for each tenant? It seems I have to create the key pairs and store them in the database all by myself. I am wondering if there are some services that could help.
What is the best practice to verify the keys/secrets? For now, I guess I have to implement the customized authorizer myself to verify the keys.
For the first query, you can simply story API keys/secrets in the AWS SSM - System manager parameter store as secret text and whenever value is required simply call SSM parameter store api to get that value at runtime.
https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html
Now for the second point, I believe you are not required to explicitly write logic to verify any API keys/secrets as if a user uses an incorrect key they will get invalid key/secret or unauthorized exception directly from API Gateway and Cognito service calls.
Is it possible to create google API KEY programmatically?
I did see the above question but I wanted to verify its functionality for my use case. I have a REST api deployed to Google App Engine that I want to introduce some api key mechanism for external users. I'm not making a website where I would just be trying to make sure it's only my code talking to my code from front-end to back-end, it's a public api that anyone with valid credentials is able to access.
Google Cloud Endpoints will only authenticate api keys generated through GCP, so my thinking goes that if it's possible to create a service account and associated ServiceAccountKey via http request, then it could be plausible to generate api keys (service account keys) for any prospective user by generating a service account per user and then giving them the relevant private key that will allow them to authenticate through Cloud Endpoints (jwt signing?).
It sounds like a good plan to me but in all likelihood I'm missing something that makes this a terrible idea. Thoughts? Has this been done before/proven?
TL;DR: Wrong way
First, API Key on GCP can only authenticate GCP Project, not user or service account.
Then, a service account key file is not an API Key. It's a secret identity that you can use for generating an OAuth2 JWT token (identity token) according with the Oauth2 flow. This identity token can be provided for an authentication (and it's valid only 1H)
In addition, you are limited to 100 service accounts per project, and the meaning of a service account is to authenticate app, not user. If you want to authenticate user, I recommend you to have a look to Cloud Identity Platform
Finally, API key generation has evolved very recently (about 1 month) and .... I would like to find the doc again, but it's a dead link. Maybe that the beta is not ready yet.
Note: Maybe the answer that I performed here (just now) can help you?
I'm looking into how to implement AWS Transfer for SFTP with a Custom Identity Provider.
https://docs.aws.amazon.com/transfer/latest/userguide/authenticating-users.html
From what I can understand it looks like if you are going to use a custom identity provider you must authenticate using a username and password.
i.e. Custom identity provider can not be used in conjunction with SFTP keys.
Is that right?
I hope this is not a silly question. Thanks in advance
Basically when you use Custom Identity Provider and once you're authenticated, you'll allowed to assume the role and access the home directory, however you can use Lambda integration with API gateway and send the SSH public key in the Lambda generated response.
I have set up a cognito user pool and have attached this to an identity pool. I wanted to allow only valid users from my user pool to execute my aws api. I have been reading about authorizing my api but there seems to be a number of ways to do this as follows:
Using an IAM role that I can attached to my authorized identity role
Using a custom authorizer in the aws api gateway
Based on what I want to do above, is there a recommended way to implement the api authorization?
Thanks in advance.
If the API you are calling, uses the user data, I would go with 2. If not, 1 would work as well. However, why do you want to integrate with an identity pool unless supporting federation with Google, Facebook etc.
http://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Need to register an endpoint with Amazon SNS when a user agrees to accept Push Notificaitons. Have the registration id I need to send to SNS. When I enter it manually I can send push notifications to my device.
Just need to register the endpoint with SNS using the Amazon API using a Post or Get request automatically when the user agrees to accept push notifications. Right now I'm getting SignatureDoesNotMatch trying to call CreatePlatformEndpoint.
http://docs.aws.amazon.com/sns/latest/api/API_CreatePlatformEndpoint.html
I have my
Application ARN
Access Key Id
Secret Access Key
But I'm not sure what values need to be passed in. Nothing seems to work and I haven't found good examples of what values the API is looking for when I call CreatePlatformEndpoint
It also appears I may need to call this before but this has even more values I'm not sure of.
http://docs.aws.amazon.com/sns/latest/api/API_CreatePlatformApplication.html
Seems like it should be fairly simple to make a request to add an Endpoint to my app. If anyone could help define what data goes where in this request that would be great.
Thanks
Permissions for the JavaScript SDK are tricky as it's obviously client side which makes your application potentially very susceptible. There's a good overview of JS credential management here. Hardcoding is not advised and if used should only be of a user with read-only credentials. Obviously for this application you need SNS modification permissions for I'd say go down the federation route.
The access key ID can be thought of like a username, and the secret access key is like the password. You need both for an authenticated handler to an AWS resource. The ARN is the thing you want access to and in this case I'm guessing this is the PlatformApplication?
It sounds like your error is because your request isn't being authenticated with the appropriate credentials. Are you also aware if those credentials provide access to the SNS service to make changes?
CreatePlatformApplication will return an ARN to use when creating the Endpoint. The endpoint parameters appear to be looking for that, the token to identify the app on the device, your user data and any other attributes you want to set.