I'd like to ask if any of u guys knows if my Canonical Request to calculate the AWS Signature V4 is really correct. I made a canonical request to the Secrets Manager service in AWS to retrieve the key vault credentials.
`POST
/GetSecretValue
content-type:application/x-amz-json-1.1
host:secretsmanager.sa-east-1.amazonaws.com
x-amz-content-sha256:032a33e004a673c7bd8 01e6d81c6e470fc18432ed60bd0bb484c5d39573581b4
x-amz-date:%vDt_DateTime_CMT%
x-amz-target:secretsmanager.getsecretvalue
accept-encoding;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-target
032a33e004a673c7bd801e6d81c6e470fc18432ed60bd0bb484c5d39573581b4`
Related
I know close to nothing about AWS. But I want to use AWS SDK in my Springboot project to send email via SES. I am to send the emails as a delegate user, and all I have is the Identity user's ARN. I tried the code available on the AWS website and set X-SES-SOURCE-ARN header as the identity user's ARN, and I am getting Unable to load AWS credentials from any provider in the chain error. Do I need to add any sort of ACCESS-KEY-ID and SECRET-KEY?
You might be confusing IAM identity with email/domain identities.
IAM handles authorization for the API call (AWS sigv4).
SES identities are internal to the service and just represent an authorized sending email address or domain (one that has performed verification steps).
To make a successful call you need to have both of those:
An IAM principal with authorization for ses:SendEmail in the account.
A verified email or domain identity in the account that is passed as the source ARN in your API call.
If you are using sending authorization policies then things require a little more setup but is essentially the same.
You can add the accessKey and secretKey on a file named AwsCredentials.properties. Next, when you configure the AWS SES Client, you load that file, as in the following example with Cognito.
public AWSCognitoIdentityProvider getAmazonCognitoIdentityClient() {
ClasspathPropertiesFileCredentialsProvider propertiesFileCredentialsProvider = new ClasspathPropertiesFileCredentialsProvider();
return AWSCognitoIdentityProviderClientBuilder.standard().withCredentials(propertiesFileCredentialsProvider)
.withRegion(props.getRegion()).build();
}
I need to get elements from AWS dynamoDB and thrid party https service and merge those results in AWS appSyn and send back the result as graphQL response
Third party service which I am using, expects client side certificate. I am not finding proper AWS documents on how to pass agent using AWS appSync resolver.
I am also not finding documents to store certificate as secret in AWS secret manager.
Is there anyone faced similar problem? Or do you guys have any solution to it?
It depends on the size of your certificate - Secrets for AWS Secrets Manager have various limits such as length in bytes (7168 bytes) or characters (4096) see more here:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
But otherwise you should be able to store your certificate using AWS Secrets Manager.
See number item 3 in the following link: https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
Using HTTP Resolvers (or even Lambda Resolvers) you will be able to make http calls to AWS Secrets Manager to obtain the secret.
See links:
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-http-resolvers.html
Adding to Ashwin's answer, According to documentation, HTTP resolver supports only public endpoint at this point and does not seem to have ability to pass a certificate for app to app call
I'm looking into how to implement AWS Transfer for SFTP with a Custom Identity Provider.
https://docs.aws.amazon.com/transfer/latest/userguide/authenticating-users.html
From what I can understand it looks like if you are going to use a custom identity provider you must authenticate using a username and password.
i.e. Custom identity provider can not be used in conjunction with SFTP keys.
Is that right?
I hope this is not a silly question. Thanks in advance
Basically when you use Custom Identity Provider and once you're authenticated, you'll allowed to assume the role and access the home directory, however you can use Lambda integration with API gateway and send the SSH public key in the Lambda generated response.
Is there any AWS ElasticSearch Client SDK for Java, which signs the requests with AWS credentials? I saw this, but I guess its for managing AWS Elasticsearch Service.
You can create AWS client for Elasticsearch in the following way:
AwsClientBuilder.withCredentials(AWSCredentialsProvider) for example: AWSElasticsearchClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials)).build();
How I do this is by first creating AWSBasicSessionCredential instance by providing awsAccessKey, awsSecretKey, and sessionToken information and then passing this instance in the above code to build the client instance. However, I do this for test programming the clients. Its not advised to create a client this way though. For example, one secure way would be using federated identification to generate a temporary security token and then use that to assume a role through AWS' AssumeRoleRequest, receive its response in the form of AssumeRoleResult and then retrieve credential information from the assumeRoleResult response received above. Use this credential information in generating AWSCredential.
Source of generating AWS Elasticsearch client.
I have an iOS app that is authenticating using Facebook & Cognito. I am able to make calls to a local ReST service with the following AWS credentials from my iOS app extracted from Cognito:
accessToken: {a_token}
secretToken: {a_token}
sessionToken: {a_token}
I want to get the current Cognito identity from the AWS credentials so I can use that as a key in my DynamoDB table and handle authorization (I don't want to use IAM roles for this). I know I can directly invoke DynamoDB from the iOS app but I do not want my app directly calling my data storage (in case I want to change data storage, add caching, etc...). Is it possible to get the current Cognito identity from the current AWS credentials?
I do not want to pass the identity id with the request, as is defeats the purpose of passing the tokens.
I do not want to use AWS API Gateway either.
From your credentialsProvider you can call getIdentityId() and in continueWithBlock' you can accesscredentialsProvider.identityId`
I am sorry but there is no way to get an identity id from AWS credentials.
Is there a reason you do not want to call Amazon DynamoDB from the device directly using credentials vended by Cognito Identity? Using IAM roles you can restrict the usage for an identity to be able to write to only their records and this is the approach we recommend currently.
You can refer to our blog about fine grain access with DynamoDB using Cognito.