We wso2 4.1
We have 10 APIs in publisher with 4 tier subscription free , gold, silver, unlimited.
We have multiple user initially with free tier if they want to go for any paid tier like gold or unlimited
We are create access role as access_gold, access_unlimited like in carbon and added in throttle policy at admin portal as permission group.
4 user who want to access api A with thottle subscription gold we are added in gold access so need role but it allows all other api with gold access
How to resolve
First of all your question is not quite clear. How the permissions of a subscription policy works is, if the allowed roles are given for the gold tier, then only the users with access_gold role will be able to use it in developer portal.
So if gold tier is attached to both API A and B in publisher portal, then both API A and B are allowed to subscribe from gold tier by a user with access_gold role. If you want to only allow access to API A, then you need to create another subscription policy specific to API A, like gold_API_A tier and only use that for API A from publisher portal.
Related
Is there a way to restrict users from purchasing trial and paid for apps, such as Anthos, in GCP Marketplace? I can't find any policies that can prevent this.
The short answer: dont give these users neither Editor nor Owner nor Billing Account Administrator roles.
More precisely dont give them these permissions :
consumerprocurement.freeTrials.create available within Consumer Procurement Entitlement Manager, Editor and Owner roles
consumerprocurement.orders.place available within Consumer Procurement Order Administrator, Billing Account Administrator, Editor and Owner roles
You can find here more details about managing access controls for Cloud Marketplace with IAM.
I want to transfer my account from AISPL to AWS. This is because, I had been running my application in AISPL account till now. Now I want to add my account to an AWS organisation of my employer whose seller of record is AWS. So that my employer can take care of all the consolidated billings in USD.
Currently, adding AISPL account into AWS account organisation is not supported and shows an error response of "You can only join an organization whose Seller of Record is same as your account".
What can I do to transfer my AWS account from AISPL to AWS so that I can add my account to AWS organisation ?
I had posted a query on AWS support for this and got the below reply.
Hello,
I understand you would like to update your AISPL account and utilize services from Amazon Web Services Inc. instead.
At this time your account utilizes services from AISPL (Amazon Internet Services Private Limited) which is the Indian AWS reseller for Indian customers.
The main difference between AWS accounts and AISPL accounts is the seller of record. AISPL accounts are administered by Amazon Internet Services Private Limited, but AWS accounts are administered by Amazon Web Services, Inc.
Accounts located in AISPL can update their account information, but will continue to be billed in INR and utilize services from AISPL. If you wish to utilize services from Amazon Web Services Inc. and update your preferred currency, then you will need to create a new AWS account.
More information can be found using the link below:
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment-aispl.html#determine-seller
We cannot transfer an account from AISPL to AWS. Need to create a new account for this.
We currently have a webapp running in AWS Region Ireland (service for the UK) and are planing to expand the service into the US.
In order to be sure that the US users get a low latency experience we are considering mirroring the AWS resources used Ireland in the US.
The data for the US users should be stored in the US region, the UK data in Ireland. (There is no need to report across both regions).
We are thinking of building a centralised login services that runs in the Ireland region. After successful login the user will be redirected to the region where his data is stored. (The login service has to know in which region the data is stored)
Has anyone built something similar? Any recommendation how to approach this?
Would Amazon Cognito support such a setup (if we build the login service based on cognito)?
Currently Amazon Cognito does not support this out of the box.
But if you use Cognito User Pools with Federated identities the credentials you get can be used in any AWS region. Along with that you can store a custom attribute for the user defining the region to which that user belongs and then redirect them accordingly.
Some days ago I have created an Identity Pool. My region is eu-west-1.
And today I don't know how to see the information relative to this:
when I go to the Amazon Cognito console, it says me:
Region not supported
Cognito User Pools are currently only available in US East (Virginia).
And after it only propose me to create a new User Pool.
So why the console say me that Cognito is only available in US East in spite of I could created a pool for my region which is EU West and how can I access to my identity pool ?
When you enter Cognito Console, you should select 'Manage Federated Identities' and not 'Manage User Pools' to see your identity pools.
Cognito User Pools is a new service that allows you to easily provide sign up and sign in functionality to your users and is only available in us-east-1.
IAM user limit is 5000 per AWS account. I have more users than this.
Please tell me if there is any way to have more than 5000 IAM users.
I am quite not sure or convinced that you have a need for more than 5000 AWS IAM Users; the direct implication is that there are 5000+ people or applications who are operating under a single AWS account.
Be sure your application's users aren't the same as your IAM users; example assume you are running a simple Blog / CMS -> which has user roles of admin, content creator, content publisher, content editor; under each roles you have 10 different users so there would be 40 users [ 4 Roles x 10 Users in each Role = 40 users ]. These users would be created under application / infra layers and not IAM users.
The default maximum limit is 5000 users per AWS account. Beyond which you need to workout a solution with STS - http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html.
Again if you need 5000+ IAM users per AWS account; the simplest way is to separate out AWS accounts for individual application [ or also use sub accounts ]
in this situation, you can use identities outside of AWS such as SAML, Facebook, Twitter, and Google in your corporate directory. If those users need to work with AWS resources (or work with applications that access those resources), then those users also need AWS security credentials. You can use an IAM role to specify permissions for users whose identity is federated from your organization or a third-party identity provider
you can learn more about that here https://aws.amazon.com/identity/federation/