I have created a sample custom app on AWS SSO and tried to authorize users with SAML.
The workflow is as follows:
User clicks custom app logo on SSO console and starts authentication flow. SAML IDP endpoint in this case is the endpoint which was created during custom application creation. Works ok.
AWS redirects to the defined ACS (Nest.js backend API server on localhost) with SAML Response. This also works ok. Response seems to be valid and includes all attributes etc.
Backend API validates the response and calls STS with AssumeRoleWithSAML command which sends the aforementioned SAML response to STS with role and principal ARNs. IDP endpoint is an accounts identity provider which has been created by AWS SSO. This does not work. It produces the following error:
An error occurred (InvalidIdentityToken) when calling the
AssumeRoleWithSAML operation: Invalid base64 SAMLResponse (Service:
AWSOpenIdDiscoveryService; Status Code: 400; Error Code:
AuthSamlInvalidSamlResponseException; Request ID:
55120f74-c9e8-4dac-b416-370b771339e5; Proxy: null)
So basically the problem is that AWS do not accept or is not able to process SAML response which was created by AWS.
What I do not understand here? Different issuer IDs or certificates causing the error?
Should I modify the SAML response before sending it back to AWS?
Edit: I made some changes to attribute mappings (see comments to this message) and it helped. However,now I get another type of error message:
InvalidIdentityToken: Issuer not present in specified provider
(Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code:
AuthSamlInvalidSamlResponseException;
I resolved this problem by creating a new identity provider on AWS IAM console and using the same custom application SSO meta data.
Related
I'm trying to run Vault CSI provider but I'm getting the following error in my app pod:
MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod vault/my-service-9b78df688-8xnql, err: rpc error: code = Unknown desc = error making mount request: failed to login: Error making API request. Namespace: vault URL: POST https://vault.craft-code.com/v1/auth/gcp/login Code: 400. Errors: * unable to get public key for signed JWT: unable to get public key "xxxxx" for JWT subject "system:serviceaccount:vault:service-web-app": googleapi: Error 400: Request contains an invalid argument.
According to the doc, before login to vault google cloud should issue jwt credential to be able to login in vault. I'm ussing terraform but I don't know how to do that. Could something explain it?
Once the service account and key have been created, the private key can be used to generate the JWT token needed to login to Vault.
To configure a Google Cloud service account to issue a JWT token before it can be used to login to Vault, you need to complete the following steps:
Create a service account in the Google Cloud platform.
Download the JSON key file associated with the service account.
Configure the Vault server to use the GCP auth backend and provide
the JSON key file for the service account.
Configure the Google Cloud IAM roles for the service account in order
to grant it access to the Vault server.
Get the JWT token from the service account and use it to authenticate
with Vault.
Refer to this doc also
I have been trying identity federation using SAML from Cloud based SAML provider to an application hosted on AWS S3 bucket. The SAML IdP is posting the SAMLResponse to the configured ACS(An API Gateway endpoint in the web-app). When I use this SAMLResponse with Postman to AssumeRoleWithSAML to get STS tokens, it works all fine with proper response 200. But the same SAMLResponse is not working using CLI (AWS Command Line Interface) getting below error.
I tried with AWS CLI version 1.x as well latest 2.x, response is same.
Command :
aws sts assume-role-with-saml --role-arn arn:aws:iam::123456789:role/xxxxx --principal-arn arn:aws:iam::123456789:saml-provider/xxxx-saml-provider --saml-assertion file://samlresponse.log
Error:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Invalid base64 SAMLResponse (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException;
Could not find any good help in knowing whats wrong and the CLI is not giving any meaningful error such as "Token Expired" etc.
Following is a sample POST request using Postman that works fine
https://sts.amazonaws.com/?Version=2011-06-15&Action=AssumeRoleWithSAML&RoleArn=arn:aws:iam::123456789:role/xxxx-saml&PrincipalArn=arn:aws:iam::123456789:saml-provider/xxxx-saml-provider&SAMLAssertion=PD94bWwgdmVyc2lv===
This is resolved. The SAMLResponse used was URL Encoded and for --assume-role-with-saml the base64 value was incompatible. Once the response was decoded with decodeURI function, it worked as expected.
I have attached one IAM role to the aws instance. The role my-role has administrative permissions and sts permissions as well.
I ran the following commands but I get error.
export VAULT_ADDR=https://somevaultsite.com
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role
Error authenticating: Error making API request.
URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidClientTokenId</Code>
<Message>The security token included in the request is invalid</Message>
</Error>
<RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>
And when I run the vault command by passing the region I get the error as
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
Error authenticating: Error making API request.
URL: PUT https://somevaultsite.com/v1/auth/aws/login
Code: 400. Errors:
* error making upstream request: received error code 403 from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'us-gov-west-1'. </Message>
</Error>
<RequestId>SOME-REQUEST-ID</RequestId>
</ErrorResponse>
I have bounded the role in vault also.
vault write auth/aws/role/my-role auth_type=iam policies=my-policy max_ttl=1h bound_iam_principal_arn=arn:aws-us-gov:iam::xxxxx:role/my-role
Note:- I added -tls-skip-verify option because the certificate is not a valid one.
We should set the sts endpoint
vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-west-1.amazonaws.com
Then run your login command
vault login -tls-skip-verify -address=https://somevaultsite.com -method=aws role=my-role region=us-gov-west-1
Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.
Here's a Google group link with discussion
Another link for sts.
I configured a AWS Cognito user pool few months ago & connected it to node.js application, everything was perfect
Now, I want to connect laravel to AWS Cognito, I followed the instructions in this article
I get the following error
Error executing "AdminInitiateAuth" on "https://cognito-idp.eu-west-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.eu-west-1.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"UnrecognizedClientException","message":"The security token included in the request is invalid."}
UnrecognizedClientException (client): The security token included in the request is invalid. - {"__type":"UnrecognizedClientException","message":"The security token included in the request is invalid."}
I'm every sure the credentials is correct, but I get this error.
Is there any missing configuration in the article?
I've had the same 'problem' following the same article. I've fixed it by verifying my credentials in the .env
AWS_COGNITO_KEY=
AWS_COGNITO_SECRET=
These are the Access Keys of the IAM user
https://github.com/black-bits/laravel-cognito-auth#cognito-user-pool
I am trying to send an authenticated request to AWS API Gateway. The clients will authenticate against Cognito Your User Pools, and then obtain a token from an associated Cognito Identity Pool corresponding to the logged-in user in the user pool. I am trying to simulate such a request using Postman.
This post suggests that the command aws cognito-identity get-credentials-for-identity can be used to get the AccessKeyId and SecretKey needed for Postman to sign the request. However, when I try to run it with the sub attribute for a user from the Cognito User Pool console:
$ aws cognito-identity get-credentials-for-identity --identity-id aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
An error occurred (ValidationException) when calling the GetCredentialsForIdentity operation: 1 validation error detected: Value 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' at 'identityId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w-]+:[0-9a-f-]+
$ aws cognito-identity get-credentials-for-identity --identity-id us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
An error occurred (ResourceNotFoundException) when calling the GetCredentialsForIdentity operation: Identity 'us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' not found.
The same thing happens if I try to use an identity ID from the associated identity pool shown in the AWS Console (I selected one that has 2 "linked logins").
You need to pass along the login map :
--logins (map)
A set of optional name-value pairs that map provider names to
provider tokens.
Shorthand Syntax:
KeyName1=string,KeyName2=string
JSON Syntax:
{"string": "string"
...}
This syntax worked for me:
aws cognito-identity get-credentials-for-identity \
--identity-id us-east-1:aaaa-bbb-ccc-bc54-rrrrrrr \
--logins graph.facebook.com=kdajbdjkabkjbkjbkdbsckslcjxb
Note: --identity-id is not the identity pool id, its the identity from the identity browser.
API gateway now has native integration with 'Cognito Your User Pool', so you can pass the identity token directly - api gateway docs. The post you have linked is outdated