The issue briefly explained:
I am getting this AWSSecretsManagerException AccessDenied when my web application makes API calls to AWS Secrets Manager to get secret keys/data.
The issue in a little more detail:
I have a Web Application war file deployed to AWS ElasticBeanstalk. I have a front end React application on AWS Amplify that makes a HTTPS Request to the WAR file.
As part of handling this request the Web Application interfaces to PayPal's API. To make a successful request to use PayPal's API I need a token. To get that token my web app needs to make a request to PayPal to get that token by sending my Pay Pal Client ID and Secret key.
To not hardcode that into the app or to have a local config file with that client id and key in plain text, I decided to store those in AWS using AWS Secrets Manager. To access the keys stored there in my application I need to use the AWS Secrets Manager SDK. I did that by including this dependency on my Web Applications pom file.
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-secretsmanager</artifactId>
<version>1.11.700</version>
</dependency>
I then added code to retrieve the client id and secret using the AWS Secrets Manager SDK API.
When I run my Web Application locally on my machine on a Payara Server it works. Meaning I have a local React app on my machine that has the HTTP Request go to my local Web app on Payara (instead of on AWS), and the Web app successfully extracts the Client ID and Secrets from AWS Secrets Manager.
However when I deploy my Web Application to Elastic Beanstalk EC2 instance, I get the Exception above from my front end React app on AWS Amplify.
After a couple of hours I got the issue resolved.
First you have to notice the Role listed in the Exception (look at the bolded text):
com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException:
User:
arn:aws:sts::<......>:assumed-role/aws-elasticbeanstalk-ec2-role/<.....>
is not authorized to perform: secretsmanager:GetSecretValue on
resource:
arn:aws:secretsmanager:us-east-1:<......>:secret:<.....>
(Service: AWSSecretsManager; Status Code: 400; Error Code:
AccessDeniedException; Request ID:
<.......>)
When you're in the AWS Console go to AWS->IAM. From there click on the roles link on the left side. Notice the role from the bolded text above is listed there (text circled in red).
Double click on that.
In this screenshot I already did it, but initially the SecretsManagerReadWrite policy (circled in red) wasn't there.
To get that policy, click on "Attach Policies". Then on the next page search for SecretsManagerReadWrite, and click on the checkbox. Click on "Attach Policy" button and now that role has it!
Now my HTTPS request from my React app on AWS Amplify makes the request to my Web App on ElasticBeanstalk and I no longer get that AWSSecretsManagerException AccessDenied message!
Related
Good day. I need help with integration of RazerID into my app as custom OIDC provider in Cognito. I have done all the configurations in the user pool and when I try to log in through Hosted UI it redirects me to Razer page, then I log in, it redirects me back to localhost callback with an error message:
http://localhost:3000/?error_description=invalid_token_signature%3A+Could+not+match+the+desired+key+identifier+within+the+list+of+keys&error=invalid_request
I check the network section I am getting the code and state
Identity Provider Configuration
App Client Settings
RazerID manual: PDF
How can I get the RazerID working properly?
I have been struggling all day, trying to to programmatically create/delete/get apikeys created in the amazon api gateway UI. The weird thing is I am getting a forbidden error even when I got all permissions an account in aws can get.
I am passing everything correctly, the accessKey, secretKey, region and service name from postman to the following url: https://apigateway.eu-west-1.amazonaws.com/apikeys [GET REQUEST] and nothing worked so far.
I've been given admin permissions for the entire aws account and no change. In the aws UI I get do all the actions I'm trying to do from postman/programmatically.
I have a service to service set up that I completed using the google cloud tutorial (https://cloud.google.com/run/docs/authenticating/service-to-service#nodejs)
Changed the cloudrun Service account to have roles/run.invoker (they both share the same role)
Make a request to get the access token: http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://XXXX-XXXX-XXXX-xx.a.run.app'
(failing) Use that access token to make a request at https://XXXX-XXXX-XXXX-xx.a.run.app/my-endpoint with the access token: axios.post('https://XXXX-XXXX-XXXX-xx.a.run.app/my-endpoint', {myData}, {headers: {Authorization: 'Bearer eyJhbGciOiJSUz.....'}})
However, on step 3, making the call to my service, I receive a 403 error, any thoughts on what I missed?
Note: I have tried deploying my invoked service with --allow-unauthenticated and without it. I am not using a custom domain, I am using the CloudRun created url.
PS: If I change the ingress from internal and load balancer to all it works, however I'm not sure if this is correct to do.
The HTTP 403 Forbidden error message when accessing your Cloud Run service means that your client is not authorized to invoke this service.
You have not granted the service account permission to call the receiving service. Your question states that you added roles/run.invoker but the error message indicates you did not complete this step correctly.
Go to the Google Cloud Console.
Select the receiving service (this is the Cloud Run service you are calling).
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field, enter the identity of the calling service.
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
Note: When requesting the Identity Token, do not specify the custom domain. Your question's wording is confusing on that point.
[UPDATE]
The OP has enabled internal and load balancer. This requires setting up Serverless VPC Access.
Connecting to a VPC network
Solution was to add a VPC Connector and route all traffic through it. I added this to the deploy script --vpc-egress all-traffic. Originally I had --vpc-egress private-ranges-only to connect to redis MemoryStore, however this was insufficient to connect to my other service (internal only ingress).
Credit to excellent insight from #JohnHanley and #GuillaumeBlaquiere
Interesting Note About NodeJS: My container wouldn't start when I switched the --vpc-egress to all-traffic, and I had no idea why because there were no logs. It turns out running node v16.2 caused some weird issues with --vpc-egress all-traffic that I couldn't debug, so downgrading to 14.7 allowed the container to start.
Hi I have build an app in spring boot that uses amazon textract for getting table data from a pdf file. This app works correctly when it is installed on my localhost.
Now i have created a new Elastic Beanstalk app on the AWS environment and uploaded my spring jar on there. When i call the url for the app i can verify that the app is there but when i call any of the endpoints that in turn call the textract service i get a permissions error.
User: arn:aws:sts::1234:assumed-role/aws-elasticbeanstalk-ec2-role/i-1234 is not authorized to perform textract:AnalyzeDocument (Service: Textract, Status Code: 400, Request ID: 123xyz, Extended Request ID: null)
Can anyone give me advice as to how / where i can set this up?
Thanks
When you run a Spring Boot application on Elastic Beanstalk, you need to make sure you are setting your service client properly. If you do not, you encounter issues. For example, here is a way to create a service client for Amazon DynamoDB for the Java V2 client:
DynamoDbClient ddb = DynamoDbClient.builder()
.region(region)
.credentialsProvider(EnvironmentVariableCredentialsProvider.create())
.build();
You can set up environment variables on Elastic Beanstalk so that the service client is successfully created. More information here:
Creating your first AWS Java web application
While creating a platform application when I tried to create application and push notification platform select GCM then add API key I got the following.
Invalid parameter: Attributes Reason: Platform credentials are invalid
(Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter;
Request ID: 44a04d15-c58b-5bf8-859e-0311947aac6c)
What does this mean and how can I fix this?
I got exactly same error message as yours. It seems google is migrating Firebase Cloud Messaging (FCM) to Google Cloud Messaging, and the API Key created via Credentials in API Manager of Google Cloud Platform is not working.
And here is how I get it to work.
Go to Firebase Console and import Google Cloud Project.
Go to Project settings on Firebase Console and you should see the Web API
Key of your project.
Go back to your Google Cloud Platform, and go to Credentials of API Manager, you should see there are two API keys have been generated. Browser key (auto created by Google Service) and Server key (auto created by Google Service)
The Server key (auto created by Google Service) is what you need to
use on the Amazon SNS.
Hope it can resolve your problem, and hope it is only a temporary solution that after Google done the migration, we can directly use the API key created in API Manager.