What alternative I have for access to https://xxxx/api/identity/entitlement/decision/pdp for check access to resources using the Access Token generated from a user authenticated in a tenant ?
If I use Authorization: Bearer <token> in headers my response is an HTTP 401, I need to use an access token, because I don't have access to admin credentials.
The permission level for this resource is defined in the
repository/conf/identity/identity.xml file as below.
<Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/pep</Permissions>
</Resource>
When you generate the access token, the user of that token should have a role assigned to him with this permission. So create a role and assign this permission to that role. Then assign the role to that user. Now generate a new token(Be cautious as IS might return the existing token if it is still valid) and try the flow.
Related
I have set up aws cognito and would like to use their federated identities to authenticate users against my own database but on getting a token after calling the get_open_id_token_for_developer_identity() and then calling the get_credentials_for_identity() the response is identityID , AccessKey , clientSecret and session token but this accesskey and client secret do not match the security credentials for my root user or even the IAM users and when used in postman with the AWS SIGNATURE authorization it throws an unauthorized error . I am getting the credentials after calling the get_credentials_for_identity() using identity id and in login{"cognito-identity.amazonaws.com":<token_from_get_open_id>} but the response which includes accesskey and client secret does not let me hit the api now secured using cognito
this accesskey and client secret do not match the security credentials for my root user or even the IAM users
These are new and temporary credentials not linked to your root or other IAM users in your account. From docs:
You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application, so that your users can access AWS resources.
This is explained more here:
When a user logs in to your app, Amazon Cognito generates temporary AWS credentials for the user. These temporary credentials are associated with a specific IAM role. The IAM role lets you define a set of permissions to access your AWS resources.
I have a lambda function that uses AWS STS to generate temporary credentials and then sends the access token via HTTP to a Web API in an EC2 instance.
Is there a way to validate the received access token from the API?
Calling STS GetCallerIdentity will tell you if the credentials are usable to make API calls, and it will identify the underlying AWS account and assumed role.
For example:
aws sts get-caller-identity
{
"UserId": "AROAABCDEFGHIJKLMNOPQ:xyz",
"Account": "123456781234",
"Arn": "arn:aws:sts::123456781234:assumed-role/somerole"
}
Notes about the response object:
Account is the AWS account number of the account that owns/contains the calling entity
UserId is the unique identifier of the calling entity. The exact value depends on the type of entity that is making the call.
AWS security architecture assures you that any token generated by IAM represents a valid token, and that the given service that generated the token had permissions to do so. If you are concerned that some entity with elevated privileges generated a token, and that that token is not to be trusted, then you have a security configuration problem. You would need to check CloudWatch to see what entity generated the token, and revoke its permissions.
As #jarmod suggests, if a given token works, then it is valid. That is all you can know about its validity.
I am trying to get a session token for the given IAM in postman but not able to receive a token.
If I use boto3.client('sts'), I am able to get the token.
Use Case: I am trying to Invoke VPC Rest Endpoint from EC2 instance where ServiceNow mid-server instance is running. Since we have ServiceNow mid-server agent running on EC2 instance, I want to use IAM Role attached to EC2 to authenticate other VPC endpoints that are deployed in the same AWS account.
I have permission policy attached to IAM Role to allow Assume Role policy. If there any other approach, please suggest.
here HTML HTML response in postman. Postman redirecting to IAM Docs
client = boto3.client('sts')
response = client.assume_role(
RoleArn='arn:aws:iam::**************:role/ServiceNow-midserver-Role',
RoleSessionName='Session1',
DurationSeconds=3600
)
print(response)
anything wrong with postman request body or endpoint.
Authentication on postman is none.
To call AssumeRole from Postman (or curl etc.) as opposed to using a supported AWS SDK, you should follow the AssumeRole API documentation. You will also need to authenticate using AWS credentials.
Specifically, the request is an HTTP GET and parameters are passed as query strings, for example:
GET https://sts.amazonaws.com/
?Version=2011-06-15
&Action=AssumeRole
&RoleSessionName=stackoverflow-64706420
&RoleArn=arn:aws:iam::123456781234:role/myrole
&DurationSeconds=3600
Here's what this looks like in Postman:
And you will need to add AWS credentials so that your API request is signed correctly, for example:
Click 'Send' and the response will look something like this:
<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
<AssumedRoleUser>
<Arn>arn:aws:sts::123456781234:assumed-role/123456781234/stackoverflow-64706420</Arn>
<AssumedRoleId>ARO123EXAMPLE123:stackoverflow-64706420</AssumedRoleId>
</AssumedRoleUser>
<Credentials>
<AccessKeyId>ASIAIOSFODNN7EXAMPLE</AccessKeyId>
<SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
<SessionToken>
AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
</SessionToken>
<Expiration>2020-12-09T13:34:41Z</Expiration>
</Credentials>
<PackedPolicySize>6</PackedPolicySize>
</AssumeRoleResult>
<ResponseMetadata>
<RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
You need to use credentials for an IAM user or an IAM role to call AssumeRole. boto3 must be getting credentials from the standard locations it look for (like ~/.aws/config) [ref:https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html]. May be you could try providing the AWS creds in Authorization tab in Postman selecting type as AWS Signature and then call assumeRole.
My users login to my application through a microservice that connects to cognito (the request is proxied via API gateway)
They get a session token.
Once logged in, they need to put some files to S3.
I want to give them temporary credentials using STS but to call sts.AssumeRoleWithWebIdentity I need a web identity token.
How can I get a web identity token with a session token as input?
I wrote a temporary lambda (node) that returns STS credentials upon logging with a username and password:
const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
const cognitoidentity = new AWS.CognitoIdentity();
cognitoidentityserviceprovider.initiateAuth(...) //AuthFlow: 'USER_PASSWORD_AUTH'
cognitoidentity.getId(...)
cognitoidentity.getCredentialsForIdentity(...)
There can be some time between the login and the file upload and I don't want the user to submit user/password each time. There's no AuthFlow accepting a session token either.
I'm guessing the API Gateway could return something useful but I didn't find anything in the docs:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference
A few checks first:
let cognito authenticated user to "masquerade" under an iam role, to do that we use trust relationships, for quick you can reuse the iam role that get assigned to your cognito identity pool.
grant that iam role a policy to access to s3 bucket
Once done:
Run cognitoidentity.getCredentialsForIdentity(...) again, it will go through sts first, thus you don't have to call sts assume role api. If successful, the response should have AccessKeyId, SecretKey and SessionToken. These are expiry aws creds that have access to s3 and will be gone after an hour (unless set). Use them as normal session authentication.
creds = new SessionAWSCredentials(AccessKeyId, SecretKey, SessionToken);
s3Request = CreateAmazonS3Client(creds);
We are planning to use AWS WebIdentityFederation for a single page application.
I have created OIDC provider, which is an external ADFS and created a WebIdentityFederation assumed role. I am able to generate id_token through ADFS. In this id_token, I have added Role claim, which is AD Groups (I can change to AWS Role ARNs if needed) and then generate temporary STS tokens from AWS STS API.
However, it looks like, AWS WebIdentityFederation role doesn't validate any role claim inside id_token, like AWS does for SAML federation. This creates a authorization question, if an user have valid id_token, they can assume any WebIdentityFederation role.
For example: If I have two WebIdentityFederation roles READONLY and ADMIN, then an user with a valid id_token can assume READONLY and ADMIN both, even if in id_token user has READONLY role.
Is there any way to validate role or any other custom claims present in id_token? Can it be done through Trust Policy conditions?