I am trying to add a message to my SQS using Postman.
When I try the following on Postman:
GET https://sqs.us-east-1.amazonaws.com/205115639995/myQueue.fifo?Action=SendMessage&MessageBody={"message":"test1}
I get:
<?xml version="1.0"?>
<ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/">
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>Access to the resource https://sqs.us-east-1.amazonaws.com/205115639995/myQueue.fifo is denied.</Message>
<Detail/>
</Error>
<RequestId>80ddb4e8-5eff-5143-adf6-e39d5cb46aa2</RequestId>
</ErrorResponse>
I have my AWS ACCESS and SECRET keys saved in my environment variables and they are correct.
What could be the issue here? Do I need to add my KEYS to the request?
The AWS credentials are picked up by AWS provided tools like AWS CLI, Boto3 (python) etc. They look at various places like environment variables, the credentials files that are generated by aws configure etc
Postman is not a AWS property, so this lookup logic is not built in. This is the reason why you are facing the issue.
There's a little bit of configuration that is needed to let Postman know that you want to use AWS credentials for a particular API calls.
Head over to the "Auth" tab when editing the Request.
From the "Type" dropdown, select "AWS Signature"
Here you will find a place to add your accesskey and secretkey as well as other optional parameters like region.
All set, if the service you are trying to connect to is publicly accessible, and the credentials you are using has a policy in place to access the service, you should now be authenticated to access it.
Image for your reference:
Related
I have hosted a meteor-angular application using S3 in AWS EC2.
Now when I run the Application I am receiving this error message below.
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>8WK30J2DDCZRTWXK</RequestId>
<HostId>6+bSjn5yWA5olpHZb7pcYCBAIlCzPjN8MxxBs3kTuGfuNuNk+CgHDjDeBpXCIjpd5WDVoFnc5Zw=</HostId>
</Error>
I have search a lot for a suitable answer and also to understand that might be the issue.
When I run aws s3 ls in the terminal I am able to see all the S3 buckets and also in the IAM Role I have added the AmazonS3FullAccess Permissions policies. But still, the issue remains.
When I go to my bucket permissions it says that "objects can be public" and the public access is not blocked.
Here is an example of a Object permission Screenshot.
Can anyone help me to fix this error?
On your s3 bucket, check the security rules and check if they are available to the public. It looks like you're trying to access it on the web browser if so you'll need to make it public.
I believe you can do this either to the entire bucket or each object the concept should be the same for each.
Go to your bucket and select the object using the checkbox.
Click on actions and select make public.
I am trying to get a session token for the given IAM in postman but not able to receive a token.
If I use boto3.client('sts'), I am able to get the token.
Use Case: I am trying to Invoke VPC Rest Endpoint from EC2 instance where ServiceNow mid-server instance is running. Since we have ServiceNow mid-server agent running on EC2 instance, I want to use IAM Role attached to EC2 to authenticate other VPC endpoints that are deployed in the same AWS account.
I have permission policy attached to IAM Role to allow Assume Role policy. If there any other approach, please suggest.
here HTML HTML response in postman. Postman redirecting to IAM Docs
client = boto3.client('sts')
response = client.assume_role(
RoleArn='arn:aws:iam::**************:role/ServiceNow-midserver-Role',
RoleSessionName='Session1',
DurationSeconds=3600
)
print(response)
anything wrong with postman request body or endpoint.
Authentication on postman is none.
To call AssumeRole from Postman (or curl etc.) as opposed to using a supported AWS SDK, you should follow the AssumeRole API documentation. You will also need to authenticate using AWS credentials.
Specifically, the request is an HTTP GET and parameters are passed as query strings, for example:
GET https://sts.amazonaws.com/
?Version=2011-06-15
&Action=AssumeRole
&RoleSessionName=stackoverflow-64706420
&RoleArn=arn:aws:iam::123456781234:role/myrole
&DurationSeconds=3600
Here's what this looks like in Postman:
And you will need to add AWS credentials so that your API request is signed correctly, for example:
Click 'Send' and the response will look something like this:
<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
<AssumedRoleUser>
<Arn>arn:aws:sts::123456781234:assumed-role/123456781234/stackoverflow-64706420</Arn>
<AssumedRoleId>ARO123EXAMPLE123:stackoverflow-64706420</AssumedRoleId>
</AssumedRoleUser>
<Credentials>
<AccessKeyId>ASIAIOSFODNN7EXAMPLE</AccessKeyId>
<SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
<SessionToken>
AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
</SessionToken>
<Expiration>2020-12-09T13:34:41Z</Expiration>
</Credentials>
<PackedPolicySize>6</PackedPolicySize>
</AssumeRoleResult>
<ResponseMetadata>
<RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
You need to use credentials for an IAM user or an IAM role to call AssumeRole. boto3 must be getting credentials from the standard locations it look for (like ~/.aws/config) [ref:https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html]. May be you could try providing the AWS creds in Authorization tab in Postman selecting type as AWS Signature and then call assumeRole.
I have to use AWS REST API to work with various cloud services. Initially, I'm trying in postman tool to fetch the list of repositories from AWS CodeCommit. I'm following this link https://docs.aws.amazon.com/codecommit/latest/APIReference/API_ListRepositories.html to accomplish my task. I have problem on setting the authorization for this API call. I have provided both access and secret keys and the region. I could not get the repository lists instead facing 503 network issue.
UPDATE
I'm facing the following error message
{
"Output": {
"__type": "com.amazon.coral.service#UnknownOperationException"
},
"Version": "1.0"
}
In Postman, select the POST method and put URL as 'https://codecommit.us-east-1.amazonaws.com/'
Go to Headers and add
'Content-Type' key and 'application/x-amz-json-1.1' as the value
'X-Amz-Target' key and 'CodeCommit_20150413.ListRepositories' as the value
'Host' key and 'codecommit.us-east-1.amazonaws.com' as the value
Go to the 'Authorization' tab and configure the AWS Signature type as follows:
AccessKey: xxxxxxxxxxxxx
SecretKey: xxxxxxxxxxxxx
AWS Region: us-east-1
Go to 'Body' tab and type {}
Click 'Send' to test
Note: Make sure to use correct region in all the place above (us-east-1 as example).
Iam trying to access datasets on quicksight using AWS4Signer, and i get the below response.
"message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."
I ensured, all the input parameters(region,servicename, etc..) Iam providing are correct.
Same SecretAccessKey is working correctly, when used with S3.
my DefaultRequest field that i supply to aws4Signer.sign() looks as below.
GET https://quicksight.us-east-1.amazonaws.com/accounts/19XXXXXXXX20/data-sets?max-results=10 / Parameters: ({"max-results":["10"]}Headers: (x-amz-content-sha256: required, )
Same thing works when i issue a CLI command as below.
aws quicksight list-data-sets --aws-account-id 19XXXXXXXX20
Please let me know what could be missing here.
are there any quicksight specific headers that should be provided?
I am wondering if it is possible to use pre-signed urls with other aws services other than s3. Specifically, the boto3 documentation http://boto3.readthedocs.io/en/latest/reference/services/logs.html#CloudWatchLogs.Client.generate_presigned_url shows that the method generate_presigned_url is available for cloudwatch logs. I've tried using it in the following fashion.
client = boto3.client(
'logs',
aws_access_key_id="<aws_access_key_id>",
aws_secret_access_key="<aws_secret_access_key>",
region_name='us-east-1'
)
url = client.generate_presigned_url(
ClientMethod='get_log_events',
Params={
'logGroupName':'<logGroupName>',
'logStreamName':'<logStreamName>'
},
ExpiresIn=180
)
The url generates, but when trying to access the url I get the error in the browser:
<InvalidSignatureException>
<Message>The request signature we calculated does not match the
signature you provided. Check your AWS Secret Access Key and signing
method. Consult the service documentation for details.</Message>
</InvalidSignatureException>
For reference, the url is in this format (AWS Signature Version 4):
https://logs.us-east-1.amazonaws.com/
?logGroupName=<logGroupName>&logStreamName=<logStreamName>
?X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=<aws_access_key_id>%2F20130721%2Fus-east-
1%2Fs3%2Faws4_request
&X-Amz-Date=20180531T150510Z
&X-Amz-Expires=180
&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-target
&X-Amz-Signature=<signature-value>
How can I access this url? I noticed this url has a different format than the ones generated for s3, which works with the same method (i.e. generate_presigned_url with get_objects). Is there a way to make this work with Cloudwatch Logs?