I'm looking into how to implement AWS Transfer for SFTP with a Custom Identity Provider.
https://docs.aws.amazon.com/transfer/latest/userguide/authenticating-users.html
From what I can understand it looks like if you are going to use a custom identity provider you must authenticate using a username and password.
i.e. Custom identity provider can not be used in conjunction with SFTP keys.
Is that right?
I hope this is not a silly question. Thanks in advance
Basically when you use Custom Identity Provider and once you're authenticated, you'll allowed to assume the role and access the home directory, however you can use Lambda integration with API gateway and send the SSH public key in the Lambda generated response.
Related
I need to use IoT core MQTT but it need to attach IoT policy to the identity in order to access MQTT.
From aws doc, it can be done by calling the AttachPolicy API. But I am struggling to use it successfully(see my other post). So I am trying alternative solution to assign user a specific identity and I attach the IoT policy through AWS CLI mannually.
I know that identity will be created when GetId is called. But in my app I am using Amplify.Auth to sign up or sign in. I look through the doc and doesn't seem it mentioned when was GetId called.
Is it possible to assign a specfic identity to user when he/she is signed up or signed in?
I am not 100% confident what you are looking for but, I have set up this before. can it give you a hint?
I know close to nothing about AWS. But I want to use AWS SDK in my Springboot project to send email via SES. I am to send the emails as a delegate user, and all I have is the Identity user's ARN. I tried the code available on the AWS website and set X-SES-SOURCE-ARN header as the identity user's ARN, and I am getting Unable to load AWS credentials from any provider in the chain error. Do I need to add any sort of ACCESS-KEY-ID and SECRET-KEY?
You might be confusing IAM identity with email/domain identities.
IAM handles authorization for the API call (AWS sigv4).
SES identities are internal to the service and just represent an authorized sending email address or domain (one that has performed verification steps).
To make a successful call you need to have both of those:
An IAM principal with authorization for ses:SendEmail in the account.
A verified email or domain identity in the account that is passed as the source ARN in your API call.
If you are using sending authorization policies then things require a little more setup but is essentially the same.
You can add the accessKey and secretKey on a file named AwsCredentials.properties. Next, when you configure the AWS SES Client, you load that file, as in the following example with Cognito.
public AWSCognitoIdentityProvider getAmazonCognitoIdentityClient() {
ClasspathPropertiesFileCredentialsProvider propertiesFileCredentialsProvider = new ClasspathPropertiesFileCredentialsProvider();
return AWSCognitoIdentityProviderClientBuilder.standard().withCredentials(propertiesFileCredentialsProvider)
.withRegion(props.getRegion()).build();
}
I am creating a nuxtjs application using amplify. I have a separate Identity server (openId connect) already built for authentication purposes. (So I don't want to use cognito auth)
I am using appsync API - I want to use the already existing identity server to pass a token to the API
I want to use S3 to store user files - for this also I want to use my identity server)
I searched but could not find proper documentation for these options. Is this achievable? If so where can I find the proper config?
I have an app and openid identity server. My app retrieves tokens from the Identity server.
I have also configured the identity server as an external provider for an AWS Cognito Identity Pool.
I can successfully retrieve AWS credentials for the User logged into my app.
However, I find the AWS credentials limited as the token does not contain any of the claims from the original login token. Is there any way to get them in there?
One the claims I use is clientID and I was hoping to be able to use that in a an IAM Policy to restrict S3 access by client.
I haven't found direct solution for that, and it seems like missing feature.
The workaround I did was:
Mapping id_token/access_token/refresh_token to custom cognito attributes. As all mapped attributes are later available in your frontend, you need to restrict read permissions for sensitive attributes.
Use TokenGeneration_HostedAuth lambda trigger to work on this data.
I have an iOS app that is authenticating using Facebook & Cognito. I am able to make calls to a local ReST service with the following AWS credentials from my iOS app extracted from Cognito:
accessToken: {a_token}
secretToken: {a_token}
sessionToken: {a_token}
I want to get the current Cognito identity from the AWS credentials so I can use that as a key in my DynamoDB table and handle authorization (I don't want to use IAM roles for this). I know I can directly invoke DynamoDB from the iOS app but I do not want my app directly calling my data storage (in case I want to change data storage, add caching, etc...). Is it possible to get the current Cognito identity from the current AWS credentials?
I do not want to pass the identity id with the request, as is defeats the purpose of passing the tokens.
I do not want to use AWS API Gateway either.
From your credentialsProvider you can call getIdentityId() and in continueWithBlock' you can accesscredentialsProvider.identityId`
I am sorry but there is no way to get an identity id from AWS credentials.
Is there a reason you do not want to call Amazon DynamoDB from the device directly using credentials vended by Cognito Identity? Using IAM roles you can restrict the usage for an identity to be able to write to only their records and this is the approach we recommend currently.
You can refer to our blog about fine grain access with DynamoDB using Cognito.