I am creating a nuxtjs application using amplify. I have a separate Identity server (openId connect) already built for authentication purposes. (So I don't want to use cognito auth)
I am using appsync API - I want to use the already existing identity server to pass a token to the API
I want to use S3 to store user files - for this also I want to use my identity server)
I searched but could not find proper documentation for these options. Is this achievable? If so where can I find the proper config?
Related
I'm looking into how to implement AWS Transfer for SFTP with a Custom Identity Provider.
https://docs.aws.amazon.com/transfer/latest/userguide/authenticating-users.html
From what I can understand it looks like if you are going to use a custom identity provider you must authenticate using a username and password.
i.e. Custom identity provider can not be used in conjunction with SFTP keys.
Is that right?
I hope this is not a silly question. Thanks in advance
Basically when you use Custom Identity Provider and once you're authenticated, you'll allowed to assume the role and access the home directory, however you can use Lambda integration with API gateway and send the SSH public key in the Lambda generated response.
I have an app and openid identity server. My app retrieves tokens from the Identity server.
I have also configured the identity server as an external provider for an AWS Cognito Identity Pool.
I can successfully retrieve AWS credentials for the User logged into my app.
However, I find the AWS credentials limited as the token does not contain any of the claims from the original login token. Is there any way to get them in there?
One the claims I use is clientID and I was hoping to be able to use that in a an IAM Policy to restrict S3 access by client.
I haven't found direct solution for that, and it seems like missing feature.
The workaround I did was:
Mapping id_token/access_token/refresh_token to custom cognito attributes. As all mapped attributes are later available in your frontend, you need to restrict read permissions for sensitive attributes.
Use TokenGeneration_HostedAuth lambda trigger to work on this data.
I have a browser app that interacts with S3. Since it was mostly an in-house tool, after handling authenticating to an API, it directly received the ID and secret for a very restricted IAM user which was then used to setup the AWS SDK in the browser.
I am now trying to change that app to use Cognito for authentication, so it can be accessed by external users without compromising our security.
I wound up using AWS Amplify just to handle the authentication part, and now I'm trying to figure out if there's a way of using the credentials I get from Cognito to setup the AWS JavaScript SDK and replicate the same functionality from that point on. (The way Amplify currently handles interaction with S3 does not cover all of the app's needs)
Is there a way of doing this? I find the SDK documentation extremely confusing, and have been unable to determine if what I'm trying to do can be done at all.
Additionally, if there's a way to use the JS SDK only (without Amplify) to login a user via Cognito, that would also be preferable to me, but that's a secondary concern.
Yes, you can easily do this with Amplify, and I recommend this approach.
Here's an example from the docs using the Route53 module from the AWS JS SDK, but you can use any of the AWS modules of course.
Via https://aws-amplify.github.io/docs/js/authentication#working-with-aws-service-objects
import Route53 from 'aws-sdk/clients/route53';
Auth.currentCredentials()
.then(credentials => {
const route53 = new Route53({
apiVersion: '2013-04-01',
credentials: Auth.essentialCredentials(credentials)
});
// more code working with route53 object
// route53.changeResourceRecordSets();
})
I am new user to GCP. I starting to implement an application that is going to use GCP API. In order to authenticate to API I've created service account and stored it in file.
In official documentation it is written that auth file can be assigned to environment variable: GOOGLE_APPLICATION_CREDENTIALS
I would like to make a request to google API from my http client (let's say Postman) and to use this file for authentication.
Is it possible at all or I suppose to use GCP client in order to make HTTP requests?
Yes, you can create an authenticate API key, and use that API key to call GCP API. Here is the doc for Creating and Using API key.
Also, you need to be careful not to expose your API keys to the public, like Github. Because we have seen many people just write their API key directly in the code and expose to the public.
As you said, you would like to use the API key in HTTP request, maybe you should add restrictions to your keys.
Here are some best practices that Google provided, hope this helps!
I created an API with AWS API gateway that triggers a lambda function. Now I want to restrict access to this API. I own an OpenID connect identity provider.
I want to require people to authenticate with my OpenID identity provider before accessing the API. What is the best way to do that? Apparently, I need an authorizer for my API. I read a lot of documentation, and from what is mentioned here, it seems that this would be possible with amazon cognito. However, here I can only find a way to use cognito user pools, while I want to use a cognito identity pool.
I want the typical authentication scenario, e.g. user calls the api, is redirected to my openid id provider, logs in, and can then access my api (which delivers html so all of this will be taking place in a web browser).
Is this actually possible with cognito, or do I need to write a custom lambda authorizer? If so, is there any documentation on writing an authorizer lambda that uses openid, prefereably in .NET?
You are mixing Authentication and Authorization.
Federated Identity Provider to Cognito:
You can use OpenID Federated Identity provider for Authentication.
Below documentation provides on how to configure it,
https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
Once authenticated you can create a signed URL to protect your assets for the URL which you want to allow to.
Creating Signed URLs:
Below documentation providers on how to created signed URL's using C#.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CreateSignatureInCSharp.html
Custom Authorizer:
Following commit on github shows an example implementation of C# custom authorizer.
https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/pull/13/commits/79d75fb7c5ee4f29fa06fd2ec28c704224cf8a7a
Hope it helps.