We are using snowflake database and we have created multi-tenant tables.
We have created user-name and password for each tenant.
These user-name and password are used in applications that use AWS quicksight and microsoft power bi tool.
These user-names and password are NOT directly accessible by tenant, instead only our own application teams have access to them.
We cant use key pair authentication as quicksight does not support it yet.
Question:
Looking for a pattern on how to rotate these password without downtime, we want to rotate this password on a fixed schedule, like every 6 months.
We decide to go with 2 user strategy and alternate between the 2. We manage these users ourselves.
Consider the "Snowflake Database Secrets Engine" by Hashicorp Vault:
https://www.vaultproject.io/docs/secrets/databases/snowflake
"This plugin generates database credentials dynamically based on configured roles for Snowflake-hosted databases and supports Static Roles"
For example, you can configure it to rotate passwords every 24 hours, and it gives you an endpoint to retrieve the latest password.
Related
I have request from users to be able to connect to my datasets and table in bigquery to fetch the data and manipulate it programmatically outside of GCP
The situation now that i created a service account with credentials to view data and i share the json key of this service account with users in email .
I want to avoid users to use the key inside their code
best way to secure sharing this key with them
The best way to share your application outside Google Cloud is through Workload Identity Federation. Although, creating public/private key pairs is also a secured way to use and share your user-managed service account, it can still impose a threat and security risk if not correctly managed.
Just run through this documentation and use IAM external identities to impersonate a service account to avoid any security issues on your security account keys even without mantaining it.
We are struggling to connect with Azure Data Factory to Amazon Marketplace Web Services.
It seems that we have all information required, however, we are getting the following error:
Parameter AWSAccessKeyId cannot have multiple values.
All data seems to be correct. However, we think it is strange that a Access Key Id and Secret Access Key are needed to connect to the Marketplace Web Services. Both keys come from the AWS environment which is currently not connected to anything.
Any help is appreciated.
Kind regards,
Jens
Yes, you need Access key ID and Secret key while creating the Amazon Marketplace Web Service linked service in Azure Data Factory. There should only be one Access Key assigned to per user in AWS Marketplace. Apart from this, other properties are also required. Please refer below image for the same. Some properties are mandatory and others not.
To allow people in your company to sign in to the AWS Marketplace Management Portal, create an IAM user for each person who needs access.
To create IAM users
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Users and then choose Create New Users.
In the numbered text boxes, enter a name for each user that you want to create.
Clear the Generate an access key for each user check box and then choose Create.
This key now you will pass in Linked Service in ADF.
Also, for better security, you can save the SecretKey in Azure Key Vault and use Azure Key Vault Linked Service to access the SecretKey. Refer Store credentials in Azure Key Vault.
Since the cloud-sql-proxy already forces individual user authentication with the database through a users iam account, and allows specifying read / write permissions, it seems potentially pointless to also have an individual database accounts for each user as well.
For security, is it necessary to have a database user per dev when using cloud-sql-proxy, or is it fine to just have one database user, since they are already authenticated by the time they can enter a database user / password anyways. I'm not a server dev or a DBA, so I thought it best to ask.
In fact, you have 2 levels of permissions
Cloud IAM allows you to access to Cloud SQL product or not
Database user management allows to log into the db engine and to get the db engine permission (access to a specific schema, one schema per developer, on the same SQL instance for instance).
The hosted database engine are based on MySQL, PostgreSQL or SQL Server. All those databases have their legacy user authentication in place. You have to deal with.
I am trying to make an API using AWS api-gateway and lambda.
Requirements
I am trying to build a dashboard, The dashboard will be for multiple organisations and each organisation will have multiple users who can login and see the respective dashboard.
Example we have a dashboard for Intel and its accessible by User1, user2, user3
A user must be able to login and access the dashboard for his specific Organization and also do CRUD on his data as well
I found out that aws cognito with its user pool can be used for the auth process. After that I intend to use api-gateway with lambda function to query a sql database and populate the frontend. The place where I am stuck at is how do I link the user from cognito to corresponding data in database.
In simple applications we would have a user-table and its a simple query but I would appreciate if someone can suggest a good way to go about implementing this
Does anybody know if it is possible to access Amazon Redshift via single sign on or service accounts. Our specific need is to map domain users to Redshift users, and then grant access to specific objects to this mapped users, so if a user wants to query Redhisft via some SQL client or some Excel connector (for example) he can use his domain credentials without having to store or type passwords on every connector. I know the existence of AWS Identity and Access Management (IAM) but from my understanding this works just for SSO to the management console, am i right?
AWS has recently announced the support for Federated authentication with single sign-on support for Redshift.
Using IAM Authentication to Generate Database User Credentials for AWS Redshift
I am currently trying to implement it and will update this answer once I am done with the setup.