I would like to setup a custom domain for Cognito.( it's on App Integration -> Domain Name). I am trying to follo this: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html#cognito-user-pools-add-custom-domain-adding, but I am little bit confused on step 3.
On step 3: To set up a custom domain name or to update its
certificate, you must have permission to update Amazon CloudFront
distributions. You can do so by attaching the following IAM policy
statement to an IAM user, group, or role in your AWS account:
I need to "attach" a permission for Cognito to create a Cloud Front Distribuition, but the documentation didn't say how to do it.
I have created a role with trust relantionship for cognito id... But it's still not able to create cloud front...And no error message...
Related
I'm trying to create an index management policy in Opensearch 1.3 on AWS using Terraform and the elasticsearch provider from phillbaker but I'm always getting a 403 forbidden exception when using an IAM master user. After several tries, I've changed to an internal database user and it worked straightaway once the domain access policy was open for any user.
These are the things I've tried so far:
Creating an IAM user with programmatic credentials, adding this user to the domain access policy and as a master user for the cluster and using the credentials in the provider (using aws_access_key and aws_secret_access_key parameters, not username and password).
Creating an IAM role with administrator access, adding this role as a master user. Configuring a Cognito user pool and identity pool as identity provider for the cluster and configuring authenticated users to use the role created before. Configuring the domain access policy to allow anyone to user the cluster.
Creating an internal user from the dashboard and adding this user to the all_access role. Configuring the domain access policy to allow anyone to use the cluster.
In all these cases, it didn't work. The last case, I tried after changing the configuration to use an internal database user as master and I verified both had the same rol mapping configuration. But only the credentials of the one I assigned through the AWS console worked.
I also tried changing the cluster security configuration on AWS so the domain access policy gets replaced with the fine-grained access control. But every time I save the changes, when I get back to the security tab, the domain access policy is still activated.
AWS Elasticsearch fine grained access control uses Open Distro Elasticsearch security. Using this feature authorization can be handled inside the Elasticsearch. https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#create-roles
AWS Documentation suggests to use the Open Distro Elasticsearch documentation, to use security Rest APIs, such as creating role or reading role.
You can create new roles for fine-grained access control using Kibana or the _opendistro/_security operation in the REST API. For more information, see the Open Distro for Elasticsearch documentation.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html
There are roles inside Elasticsearch using which we can control the authorization permissions of IAM user/role. This is done using Role mapping by adding IAM user into Users list or IAM role into backend role.
I added my IAM role into Elasticsearch backend role and I am able to execute below APIs,
PUT /my_index
PUT /_template/template_for_my_index
But when I execute below API, I am getting below response.
PATCH /_opendistro/_security/api/rolesmapping/my_role_inside_elasticsearch
{'statusCode': 200, 'headers': {'Access-Control-Allow-Origin': '*'}, 'isBase64Encoded': False, 'body': '{"status":"FORBIDDEN","message":"No permission to access REST API: User arn:aws:iam::123456789:role/myIamRole with Open Distro Security Roles [all_access] does not have any role privileged for admin access. No ssl info found in request."}'}
I tried adding IAM role into Elasticsearch all_access and also into my own Elasticsearch role which has * permissions(all permissions).
How to grant access to IAM Role/User to create role inside AWS Elasticsearch?
Note: IAM Roles and Elasticsearch Roles are different.
To grant permission to an IAM user/role to access opendsitro apis, you have to give the IAM entity permissions similar to master user. You have two options to do so:
Either make that IAM entity the new master user via aws opensearch cli/console.
Map the IAM user/role to all_access as well as security_manager thereby adding it as an additional master user.
Note: For IAM user, the arn needs to be added under users, whereas for IAM role, the arn needs to be added under backend_roles in the role mapping section.
More details: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-more-masters
Can you clarify if you were able to successfully map the IAM user/role to all_access? Your question is not clear on that.
Following this article to set up Cognito auth for AWS Elasticsearch.
https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/
Getting an error:
Open Distro for Elasticsearch
Missing Role
No roles available for this user, please contact your system administrator.
Anybody knows why I could get it?
The crucial missing part was the below:
navigate to the Elastisearch domain on your AWS Elasticsearch console page
After this, click on the “Actions” button -> “Modify master user"
Then select “Set IAM ARN as master user” and in the “IAM ARN” field, add the IAM role ARN “arn:aws:iam::<aws_account_id>:role/<My_cognito_auth_role_assigned_to_the_cognito_user_group”
click Submit
If you have enabled Fine-Grained Access Control with your Elasticsearch domain, one of the assumed roles from the Amazon Cognito identity pool must match the IAM role that you specified for the Master User. Considering you have at least two existing IAM roles, one for the Master User and one for more limited users, this guide may help you.
Alternatively you can configure the master user role same as Cognito Authenticated role ARN.
I am trying to embed a AWS Quiksight Dashboard in one of my application. I have followed all the steps mentioned in the AWS guide - https://docs.aws.amazon.com/quicksight/latest/user/embedded-dashboards-setup.html
I have created the AWS role with the required policy, at the last step when I try t fetch the embedded dashboard URL, I get the following error. Not sure what is the issue.
The function I call is
response1 = client.get_dashboard_embed_url(
AwsAccountId="999999999999",
DashboardId='29dfd0b7-844e-4867-9a3c-77acdd647d1d',
IdentityType='IAM',
SessionLifetimeInMinutes=120,
UserArn=arn
)
Value 'arn:aws:iam::9999999999999:role/EmbeddQuickSight' at 'userArn' failed to satisfy constraint: Specified resource is not reachable in this region ('us-east-1' )
According to the documentation, UserArn can't be an IAM role. It needs to be one of the following:
Active Directory (AD) users or group members
Invited nonfederated users
IAM users and IAM role-based sessions authenticated through Federated Single Sign-On using SAML, OpenID Connect, or IAM federation.
I could imagine that this is the underlying issue.
I am trying to apply the role binding below to grant the Storage Admin Role to a GCP roleset in Vault.
resource "//cloudresourcemanager.googleapis.com/projects/{project_id_number}" {
roles = [
"roles/storage.admin"
]
}
I want to grant access to the project level, not a specific bucket so that the GCP roleset can access and read/write to the Google Container Registry.
When I try to create this roleset in Vault, I get this error:
Error writing data to gcp/roleset/my-roleset: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-roleset
Code: 400. Errors:
* unable to set policy: googleapi: Error 403: The caller does not have permission
My Vault cluster is running in a GKE cluster which has OAuth Scopes for all Cloud APIs, I am the project owner, and the service account Vault is using has the following permissions:
Cloud KMS CryptoKey Encrypter/Decrypter
Service Account Actor
Service Account Admin
Service Account Key Admin
Service Account Token Creator
Logs Writer
Storage Admin
Storage Object Admin
I have tried giving the service account both Editor and Owner roles, and I still get the same error.
Firstly, am I using the correct resource to create a roleset for the Storage Admin Role at the project level?
Secondly, if so, what could be causing this permission error?
I had previously recreated the cluster and skipped this step:
vault write gcp/config credentials=#credentials.json
Adding the key file fixed this.
There is also a chance that following the steps to create a custom role here and adding that custom role played a part.