I need to create a lot of new AWS users.
I would like to generate their usernames from their email addresses:
Example#gmail.com -> username: example
and give them a default password that they will be able to change when first logging in. Once the user is created, all users should be put into the same group to have the same permissions.
Is there a bash script or python with which this process could be automated?
You can use AWS CLI for bash or AWS SDK (boto3) for python to automate this task.
Here's what you'll need to do:
Read emails either from file or database.
Use SDK create_user function to create new IAM user. Visit the link for doc link.
Use SDK get-login-profile function to create password for user with password reset on login flag. Follow the link. Note: It'll give console access to user.
Add user into specific group using SDK. Follow the link.
Ref:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_cliwpsapi
Related
I am working on a React Project and in there I want to use AWS Cognito for Role Based Authentication. My Project will be having multiple roles like Super User, User, Admin, Super Admin, etc. and to achieve this I have created multiple userpools. As in 1 userpool for each role and Everything is working correctly but turned out that I can achieve same functionality within single userpool by making groups in it.
So, The problem is that for now I am using 'aws-cognito-identity-js' library to authenticate users. but in that Library I couldn't find any code related to Userpool Groups and also I tried to find another library related to Userpool Groups but I couldn't find any. So, How can I integrate that Groups Logic into my React App?!
When you login to the userpool you get an ID-Token. The payload of this ID token also contains the groups the user belongs to.
let
[header, payload, signature] = idtoken.split("."),
jsonPayload = JSON.parse(atob(payload)),
groups = jsonPayload["cognito:groups"]
Of course you can also use your favourite JWT library (maybe even amazon-cognito-identity-js has something included) to verify and parse the ID token and extract the desired claims from it.
EDIT
amazon-cogito-identity-js cannot be used to manage groups during self-signup of a user. IMHO it would be counter-intuitive and a security flaw, that a user can add himself to a group (which probably has certain security implications in your app) without administrative intervention.
If you really want allow the newly created user to select which groups he belongs to, you can do that via a Post Confirmation Trigger on the userpool.
Add the desired groupname for instance as a custom attribute while signing up the user.
Once the user is confirmed the post confimation trigger (a lambda function) is executed. This lambda function has to have the necessary permissions to execute the AdminAddUserToGroup command.
Within the trigger (which receives the user's attributes as parameter) execute the mentioned AdminAddUserToGroup command.
I am creating an EUC Dashboard in AWS by following this tutorial. To log in to the dashboard, you're supposed to link SSO and Cognito. Unfortunately, my environment differs from the one in the Tutorial:
My user management runs on Microsoft Azure and AWS SSO checks Azure for authentication. The users only have a username (in the form of an email), not an email. In the tutorial, (at Module 2, Step 4, ยง18) Attribute Mapping for the SSO Application gets done with mapping ${user.email} to this schema http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
I instead want to map my usernames.
I have read through the AWS documentation for attribute mappings but that isn't enough for me to work this out.
How do I make this work for my setup?
As your usernames are in an email format, you can still use the emailaddress claim schema for your user attribute mapping - they'll be no issues.
The only note is to ensure that the correct field is used for mapping e.g. ${user.username} in this case instead of ${user.email}.
I am trying to use Apache libcloud to access GCP and hopefully be able to launch compute instances. So, following the documentation, I have created a service account on GCP associated with my email and given it the owner access for the moment. After that, I am using libcloud as follows:
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver
ComputeEngine = get_driver(Provider.GCE)
driver = ComputeEngine('luca#googlemail.com', 'gcp-key.json', project='first-gcp')
This actually displays a URL and asks me to enter a code from it. When I click on the URL, I get the error message:
The OAuth client was not found.
This was not the workflow I was envisioning. I thought providing the secret key would just let me in and I would be able to then use methods for launching instances etc. So, I am not sure if I am doing the right thing by using a service account on GCP for this.
So, I get the following asking for a code:
So I get this:
Please Go to the following URL and sign in:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=xxx&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.full_control+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fndev.clouddns.readwrite&state=Libcloud+Request
Enter Code:
How should I approach this? We will be a few remote people working on this eventually so ideally each person will have their own key to use and this should happen in a bit autonomous way in the sense if codes do not need to be entered manually, that would be great.
From the Console (https://cloud.google.com/console), select your project. When your project is open, select "APIs & auth" and then "Credentials" as shown below:
In Development: Preferably make one for each, could use one for all for testing purposes.
In production: For each user to use this service, create a service account.
When you download the service account, you should have it as a .pem or .json file. Use the email address from the service account (if you open the json/pem you shd be able to see the email) and give it the correct values region/project/email and path to the pem file.
The code you're using is correct, avoid using the name "ComputeEngine" since it may be a keyword (even though it probably isn't, best practice)
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver
Driver = get_driver(Provider.GCE)
gce = Driver('your_service_account_email', 'path_to_pem_file',
datacenter='us-central1-a',
project='your_project_id')
Have a look here If you're confused on any steps. But this should def work.
So I know it is really BAD PRACTICE to store a users password in cleartext (even encrypted)....But here is my problem.
I am developing an in-house automation web-app using django as my backend and users login using their LDAP credentials. My app interacts with several 3rd party applications (Jira, Jenkins, Gitlab) that also use ldap credentials for user authentication. I would also like the ability to write to the users (linux) file system from the server (saving generated scripts).
What are my options?
The only one i have though of is to encrypt the password when user logs in and store that in the django session. Encryption and decryption keys will be generated per session and saved using django's sessions. The password will be decrypted whenever a password is needed but it will never be saved as clear text
*Obviously the user will need to concent to this method
Any other ideas?
If we're saying about logging into user's account using SSH, you can use public/private keys to do that. When user logs in, use his password for connecting to his account and create here authorized_keys file (or edit existing one) inside ~/.ssh directory. That way you will have access to SSH later.
Additionally, you can create some scripts that will handle that filesystem changes on root level.
I know that Jira and Gitlab can use OAuth and I'm pretty sure Jenkins understands that also. So you might be able to generate an OAuth-Token for the user on login (when you have the password in cleartext) for those systems and then use that token without the need to store the password.
Regarding the SSH-Access #GwynBleidD already gave a good answer.
I have Admin access to a Google domain. I want to do bulk password reset of user account and also if possible make them change their password after first sign in. Currently im doing this using GAM. is there any way to do this using App script or python script?
i have generated random password and tried to reset the password but its not happening.. I dont know how to connect with Admin SDK.
This can be done with both Python (how GAM does it) or Apps Script. From my POV, unless you need to move this process into the cloud (Apps Script) you might as well use GAM to complete the task.
That being said, in both instances, you're going to want to use the Directory API (within the Admin SDK) as this has access to change passwords and set change password at next login to true. I recommend taking a look at this Apps Script page making note of the additional steps needed to use the Admin SDK within Apps Script.