I have a service (web client) in AWS which needs to trigger a cloud function in GCP, I want to keep this secured so I cannot allow all users to invoke the mentioned cloud function, but I want to allow my service in AWS to invoke the mentioned cloud function.
I have searched the internet and I have seen following links: link1, link2 but I am unable to find a solution.
all the mentioned solutions talk about generating the required idToken manually but since it is a service I don't have the option to generate the idToken manually, I tried to use service-accounts with keys.json file option but it throws following error:
request https://us-central1-multi-service-app-js.cloudfunctions.net/helloHttp with target audience https://us-central1-multi-service-app-js.cloudfunctions.net/helloHttp
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/helloHttp</code>.</h2>
<h2></h2>
</body></html>
As you are asking for a general advice, I would suggest to have a look at a GCP Workload Identity Federation. Here are some links:
GCP - Workload identity federation Overview
GCP - Configuring workload identity federation
GCP - Specific configuration description
Medium - Keyless API authentication- Launching GCP workloads from AWS
YouTube - AWS to GCP sans service account keys!! - Workload Identity Federation
YouTube - GCP - Workload Identity Federation - Access GCS Bucket From AWS Lambda Function
One may find plenty of other Workload Identitfy Federation sources of information which are not necessarily AWS related.
Related
I'm hosting the backend for an internal admin tool on Cloud Run. Since only admins of the GCP project should be able to access this tool, I followed the instructions here to enable IAP for Cloud Run by setting up a load balancer with a static external IP (and custom domain), restricting ingress to "Internal and Cloud Load Balancing", and allowing public unauthenticated access for the Cloud Run service since IAP is handling the authentication and authorization.
Now I'm trying to set up some cron jobs on Cloud Scheduler, for which I've provided an endpoint corresponding to my custom domain (say https://customdomain.com/endpoint), along with a service account email that allows OIDC tokens to be generated. The audience for the OIDC token is set automatically to the same custom domain URL. However, as reported on this thread, there seems to be a bug with Cloud Scheduler that only allows run.app audiences - anything else (including custom domains) results in a 401 UNAUTHENTICATED. This happens even if I set my target URL to https://customdomain.com/endpoint but my audience to https://cloud-run-service.a.run.app/endpoint. Of course, I can't change my target URL to https://cloud-run-service.a.run.app/endpoint since it doesn't allow direct traffic not coming through the load balancer.
Has anyone been in this situation or know of any workarounds? Thanks!
I understand your issue is,
In Cloud Scheduler, the OIDC token that is sent to the Cloud Run Service only works if the Audience is the Cloud Run-provided URL, not the Custom Domain URL.
Doesn't work: URL: https://service-url.customdomain.com | Audience: https://https://service-url.customdomain.com
Works: URL: https://service-url.customdomain.com | Audience: https://example-abcdefg.a.run.app
Works: URL: https://example-abcdefg.a.run.app | Audience: https://example-abcdefg.a.run.app
Google is aware of the issue and is working on allowing them to specify custom audiences for Cloud Run services, which will solve your problem.
Right now as per the latest update on May, 2022 we're about to ship custom audiences for Cloud Run. Please fill out this form if you are interested in being an early tester for "custom audiences for Cloud Run."
Currently, to authenticate the caller via Cloud IAM, you must pass in JWT token with the audience field set to the full URL of the service, such as https://example-abcdefg.a.run.app.
With this capability, you can specify a custom domain as the audience field in the OAuth token instead of the original service URL enable a service deployed in multiple regions to accept a common audience field
Issue tracker reference :
https://issuetracker.google.com/182490050
I believe you can still set the target URL (while configuring Cloud Scheduler) to the run.app/endpoint of your Cloud Run service by making use of service accounts
First create a service account for Cloud Scheduler
Then give this service account permission to invoke your Cloud Run Service
See Google's documentation here
After hours of painful debugging, here's the solution for anyone with the same issue. While it's still true that custom domains mapped to the Cloud Run service don't work as the OIDC audience, neither does the Cloud Run-provided run.app URL when using IAP in front of a load balancer. It turns out the expected audience in such cases is the IAP Client ID. You can find this under Credentials -> APIs and Services -> OAuth 2.0 Client IDs -> <IAP service name>. Just manually set the OIDC audience to this exact string and things should start working!
I am trying to add an authentication method to AWS OpenSearch.
By default it comes with basic auth with internal db,
I would like to configure Security Plugin with a second authentication mechanism OpenId Connect
Documentation says to use Update Security Configuration , which doesn't seem to be allowed by AWS.
tried PUT _plugins/_security/api/securityconfig and PUT _plugins/_security/api/securityconfig/authc both seems to be failing with {"Message":"Your request: '/_plugins/_security/api/securityconfig/authc' is not allowed."}
Is there an alternative, all I want to do is , use JWT Token(from OpenID Connect Cognito) to run OpenSearch _search API, rather than using internal database basic auth or IAM Role from Federated Pool.
AWS Opensearch has blocked apis for updating security configuration which is why you see the error. The documentation you have linked is applicable when using opensearch security plugin for your self hosted opensearch service and not AWS hosted solution.
I am not sure if this will be helpful to you but this blog does talk about using OpenId Connect along with AWS Cognito for opensearch auth: https://aws.amazon.com/blogs/apn/use-amazon-opensearch-service-with-kibana-for-identity-federation-auth0/
My question is about AWS Cognito Security Services- can AWS Cognito be used for any resources outside AWS Cloud e.g an API developed published on Apigeea API Gateway?
I searched through AWS Documents and on Google
I want to create SSO with AWS Cognito like SAML-based SSO federation where Resources/ Services can be anywhere.
Yes, You can. Kindly see the App Clinet option in Cognito.
However, Apigee also needs to have the capability to integrate.
We have implemented Dynatrace and we need to add our AWS account to pull CloudWatch logs.
The problem: We have a corporate proxy and firewall which is super locked down and seems to block whichever requests Dynatrace is trying to make to AWS to authenticate with the key and secret.
The infra guys has allowed a bunch of AWS domains per region to read CloudWatch logs, but we still can't authenticate (see image below).
I have set up a Dynatrace security gateway in AWS which our local gateways are able to access. We are successfully getting logs form OneAgents through the SGW. The problem is getting the CloudWatch logs/integration going.
The error in the image below leads me to believe that Dynatrace is not able to communicate to the AWS auth servers at all.
Any advice would be appreciated.
I'm just a dev
We are not allowed to open the amazon domain.
#corporate-devlife
i am developing a android application using AWS's RDS and AWS Cognito service. so my question is there any way that i can connect the RDS with Cognito? please help.
I think there are two possible questions here so I'll answer them both.
If the question is, can I access RDS from a Cognito authed app:
RDS does not use AWS credentials for authentication, it uses database credentials. Cognito only vends credentials for AWS services, so you cannot use Cognito credentials to access an RDS database.
If the question is, can I link RDS to Cognito so I can query, manipulate or analyze your end users' datasets:
All access to users' datasets is done through Cognito. There is no export or link feature that allows you to use RDS.