I have integrated aws amplify into and android app by following https://docs.amplify.aws/lib/q/platform/android in my mac book pro.
Now I check-out the same project into another machine mac mini. and trying to run.
I am getting this error, not sure how to fix it.
AmplifyException {message=Failure performing sync query to AppSync: [GraphQLResponse.Error{message='You are not authorized to make this call.'
tried, amplify pull, amplify configure, amplify init. but none are able to resolve this issue.
thanks in advance
Initially, you will see your graphql in Network tab failed because of Authorization.
"My case is App Sync API key is expried. – Freddie Jun 26"
This is the answer, go to Appsync / Settings / API keys.
You will see the "red" key. That means it has expired.
You just need to create a new key. Then replace this new key for appsync api inside your aws-exports.js under name aws_appsync_apiKey
If you have resolved this, I'll just leave it here so someone else can see it.
Ah! Great news, you can simply edit the date (no need to make a new one).
It's just that the default is one week.
Go to your ordinary, full, normal AWS console. GO to "aws appsync".
Then ..
If your token expired (here I'm talking about a token that was living its max 365 days and has expired) and you by any chance are publishing your application to AWS using amplify, you will need to add new token to application (simply changing it in awsexports would not be enough). To do it you must:
Find the file amplify/backend/<your_app_name>/parameters.json and there add two lines (this might be just CreateAPIKey but I've tested just one method found in this github issue and it worked).
"APIKeyExpirationEpoch": -1,
"CreateAPIKey": -1
Run amplify push. This should delete the old token. But you will be better off checking it yourself in Appsync/settings/api keys. If you have no tokens there, then you are good to go.
Go back to parameters.json file and remove our parameters (APIKeyExpirationEpoch and CreateAPIKey).
Run amplify update api. Choose your api (mine was Graphql). Choose update auth settings. Choose your default authorization method (mine Api key). Enter description for your api key and add the ttl for your api key (default is 7 so I suggest changing this one). Don't configure additional auth types.
You should get success message at the end. Now do amplify push. After a while the command should return success message and you are good to go. To double check you can verify token in your appsync. There should be one token only. Alson you can check the api calls for x-api-key value in header which should hold your new token.
Related
I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user. In their documentation I can find:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
but how do I debug it? I do not see a logs from neither AWS and Google sides :/
I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.
What I did:
In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
I downloaded metadata file
In AWS Cognito console I created User Pool
I created IdP provider and uploaded metadata file there
I created application client
Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
I also selected Name ID format to be Persisted
In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.
And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.
I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.
Anyone tried to integrate it?
How to troubleshoot the 403 app_not_configured_for_user error related to SAML apps from the Google Workspace Admin console
The first thing you need to do is to grab a HAR file recording the whole login process and find the SAML request. Steps can be found here.
Once you get the file you can open it using that tool and search for SAMLreq at the top right (see image).
After that you will get a list of values containing information. You will have to check one by one until you find the one that has the SAML request in the request tab (see example below).
Once you get the value from the SAML request, copy it and you can use this tool to do a SAML decode and find the entity ID. You can use Ctrl + F and search for saml:Issuer to find the value faster. If the value does not match, then you know you have an error and you will need to contact the support team from the app to see which value is the correct one.
In case the value matches I would recommend opening a ticket to check with Google.
To update my API key, I used to go on AWS AppSync → Settings and generate a new one.
After that, inside my local app, find and replace my old API key with the new one... Until yesterday this worked fine but now, no matter what I do, when I run amplify status it outputs my old API key.
I also tried amplify update api with no luck. Later I tried amplify pull to see if it updates my local API key with the new one from the web app (AppSync) still no luck.
I already have a valid API key generated online, why I'm not able to update my local API key with the same key?
Try this solution:
open this folder inside your project amplify/backend/<api>/parameters.json
add these lines:
"APIKeyExpirationEpoch": -1,
"CreateAPIKey": -1
From terminal run amplify push.
This should delete the API key from the stack. Now, remove APIKeyExpirationEpoch and CreateAPIKey from parameters.json, and create a new key using the CLI:
amplify update api
Here, in most cases, you have to select:
? Select from one of the below mentioned services: -> GraphQL (or rest API, it depends on your needs)
? Select a setting to edit -> Authorization modes
? Choose the default authorization type for the API -> API key
✔ After how many days from now the API key should expire (1-365): ->365
? Configure additional auth types? ->No
And finally run:
amplify push
With this solution you can renew your API key for 1 year.
I'm doing PoC of some GSuite custom solution which needs to listen to changes on users resource. I've created a GSuite account, linked it (and verified) with mytestdomain.com. It's also verified in API console. Basically followed instructions from https://developers.google.com/admin-sdk/directory/v1/guides/push
and fulfilled all requirements from there.
Unfortunately when I try to register my web hook I'm getting following error:
Watch request denied by backend [403]
Errors [
Message[Watch request denied by backend] Location[ - ] Reason[watchDenied] Domain[push]
]
I stuck with it and don't know where too look for more details about that error.
I'm using a certificate generated by Let's encrypt, but tested it with https://www.ssllabs.com/ssltest/ and got rank A. How to check if Google API treats Let's Encrypt as trusted CA?
Problem wasn't anyhow related to Let's Encrypt certificates. They're working just fine with Google's push notifications. I've contacted with Google support and with their help I've established that sending a request with showDeleted parameter set to true was a root cause of above problem.
Support guy claimed that documentation was copied from list method and that parameter cannot be used with watch method and they're going to update docs of watch method in API reference. (However it's still there).
We have been using Amazon SNS to send Android push notifications since April this year.
Pushes have sent with no problem, however there has never been any record of calls to the Cloud Messaging API in the Cloud Console (seems odd?).
Today I created a new API key for the Static Map service (unrelated) and renamed our Cloud Messaging API key (only the name, the key is the same). From this point no pushes have been sent, and trying to create a new platform application (or update the existing one) in AWS results in:
Invalid parameter: Attributes Reason: Platform credentials are invalid (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID:)
I have also tried manually making calls to the https://gcm-http.googleapis.com/gcm/send endpoint using the key which results in Unauthorized (401).
Interestingly, I can make calls to the above endpoint using the key I created today, however they fail on MismatchSenderId.
I can't see a lot of the previous options that the Cloud Console had (server / browser keys, etc) within the API Manager?
For those who are facing this in 2017, here goes a tip:
1 - Go to your firebase console (https://console.firebase.google.com/) click on your project (which you want to use for push notifications)
2 - Click on the "three dots" on the right side of your project name and click on "Settings"
3 - Click on "CLOUD MESSAGING" on the header tabs
4 - Copy the "Server Key" (this one is bigger than your API key)
5 - Paste on the "API Key" input of the AWS Form for "Create platform application"
PS: Note that this is valid only for GCM Push Notifications.
API Key management for GCM has been moved to Firebase Console.
You can create a new Firebase Project (or import an existing cloud project) and you should obtain a new Server Key for Cloud Messaging.
see the updated documentation:
https://developers.google.com/cloud-messaging/android/client#create-an-api-project
and the stack overflow question: Where can I find the API KEY for Firebase Cloud Messaging?
if you still have problems please contact:
https://firebase.google.com/support/contact/troubleshooting
I have been getting the same error when creating Amazon SNS platform application:
Invalid parameter: Attributes Reason: Platform credentials are invalid (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID:)
After reaching out to the Firebase support as suggested by Diego, this is the response I got from Google:
Hope you're doing well and thanks for reaching out to us.
I'm not really familiar with Amazon SNS and looks like their integration is still with GCM, not FCM. If your app implementation is still GCM, then you need to migrate with FCM in order to use the server key in the console. See the instructions here.
Also, Firebase has upgraded the server keys to a new version. We'd recommend to use the server key instead of the legacy server key.
I hope this helps. Let me know if you have any other concerns. Thank you.
This indicates that we'll have to change our app code. We were able to make this work for another app in out organization by creating a new firebase project and using the Legacy server key with Amazon SNS.
At some point we'll definitely upgrade to using FCM but at the moment we have a tight deadline.
Update:
So finally what worked for us is using the 'Server Key' under Project Settings --> Cloud Messaging . The app still uses the GCM implementation. Amazon SNS is happy with this key and generated a GCM platform push application. The pushes work !
Still confused about why the 'Legacy Server Key' does not work for one app but is ok for the other. But I am not digging into it any further.
For those starting a new project and wondering why it is still invalid, make sure the application Key restriction is set to Android apps. In my case, it was at only set to None and when I switched to Android apps, it worked after 5 to 10min after updating it. You'll need to add your package name and SHA-1 certificate fingerprint.
In my API Gateway console, I did the following:
Created an API key
Associated the key with a deployed API stage
Checked the key's "Enabled" checkbox
For each method of each resource of my API, required the API key for authentication
I expected curl https://my-api-gateway-url/my-resource to 403, since I didn't include the x-api-key header, but it was a 200 instead. My Lambda function behind API Gateway ended up running when it shouldn't have run without the API key.
How can I ensure the key is required to authenticate all requests?
EDIT: I was following the documentation here: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-api-keys.html
Just answered my own question. Posting my answer here as I know I'm not the only one wondering about this, like this person.
The answer is to redeploy your API. Although redeploying sounds obvious, the docs completely skip the vital last step, so it's easy to overlook.