We Keep Coding

Vault csi provider in gcp

I'm trying to run Vault CSI provider but I'm getting the following error in my app pod:
MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod vault/my-service-9b78df688-8xnql, err: rpc error: code = Unknown desc = error making mount request: failed to login: Error making API request. Namespace: vault URL: POST https://vault.craft-code.com/v1/auth/gcp/login Code: 400. Errors: * unable to get public key for signed JWT: unable to get public key "xxxxx" for JWT subject "system:serviceaccount:vault:service-web-app": googleapi: Error 400: Request contains an invalid argument.
According to the doc, before login to vault google cloud should issue jwt credential to be able to login in vault. I'm ussing terraform but I don't know how to do that. Could something explain it?

Once the service account and key have been created, the private key can be used to generate the JWT token needed to login to Vault.
To configure a Google Cloud service account to issue a JWT token before it can be used to login to Vault, you need to complete the following steps:
Create a service account in the Google Cloud platform.
Download the JSON key file associated with the service account.
Configure the Vault server to use the GCP auth backend and provide
the JSON key file for the service account.
Configure the Google Cloud IAM roles for the service account in order
to grant it access to the Vault server.
Get the JWT token from the service account and use it to authenticate
with Vault.
Refer to this doc also

Identity pool - does not have identity providers configured, AWS Amplify

I am setting up a custom AWS Amplify auth application
Signing up, signing in was working fine until I enabled MFA on a user
So after sign in,
on "SOFTWARE_TOKEN_MFA"
I am redirecting to a modal for user to enter code from authenticator app
const loggedUser = await Auth.confirmSignIn(awsUser, userCode, challenge);
This function throws error of
Identity pool - does not have identity providers configured
I enabled TOTP in the AWS Console

NextAuth + AWS Cognito - message: 'nonce mismatch, expected undefined, got:

I'm using nextjs 12.1.6, nextauth ^4.5.0, cognito to create social sign ins. After successful sign in on the cognito Hosted UI, I get redirected to my nextjs app with this error in the url api/auth/signin?error=OAuthCallback. I'm not sure what the problem is. Here is the log I get:
here's the nextjs app:
My cognito callbacks:
My nextauth config :

Google Cloud API Gateway User Authentication

I am trying to implement user authentication via JWTs in Google Cloud API Gateway.
I have configured the security requirement object and a security definitions object in the API config as per the documentation
securityDefinitions:
google_id_token:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://accounts.google.com"
x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
security:
- google_id_token: []
And the backend service is a Cloud Run service
x-google-backend:
address: https://my-apis-fskhw40mta-uk.a.run.app
However when I call the API with my user bearer token, I receive a 403 error and this error in the stackdriver logs
"jwt_authn_access_denied{Audiences_in_Jwt_are_not_allowed}"
The Python client code to call the API is
id_token = subprocess.run(['gcloud', 'auth', 'print-identity-token'], capture_output=True, text=True, shell=True).stdout
http = urllib3.PoolManager()
encoded_args = urlencode({'arg1': "val1"})
r = http.request(
'GET',
API_URL + "/run-api?" + encoded_args,
headers={"Authorization": f"Bearer {id_token}"}
)
What is the correct way to include an audience when using a User account (not service account)
Update 1
I have found one way to do it, however I'm not sure it is correct. If I add 32555940559.apps.googleusercontent.com
to the securityDefinitions so it looks like this
securityDefinitions:
google_id_token:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://accounts.google.com"
x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
x-google-audiences: "https://oauth2.googleapis.com/token, 32555940559.apps.googleusercontent.com"
It will allow unauthenticated access to Cloud Run, however I still can not call Cloud Run with authentication enabled. Cloud Run returns 403 error due to the API gateway service account not having permmissions - It has Cloud Run Invoker
Is there anything special I need to do to enable API Gateway to call cloud run other than granting Cloud Run Invoker

Adding 32555940559.apps.googleusercontent.com is not recommended, since this is the default. Ideally the audience should be unique for every service, which is why we normally use the service's own URL for this purpose. This prevents the tokens being reused, e.g. by a malicious or insecure server, to authenticate to other services which expect a different audience.
You can specify the audience you want to use when you create your identity token. For example: gcloud auth print-identity-token --audiences "https://service-acldswax.fx.gateway.dev"
You can specify the same audience in x-google-audiences to make this work. Alternatively, the service name prefixed with "https://" will be accepted by default. This can be specified as "host" in the API specification file and would normally be something like "api.example.com".
Note that anyone can generate a valid identity token, which will be accepted by the gateway. The gateway is performing /authentication/, but not /authorization/. You can either do authorization in the app, or for a private API you may wish to use a different oauth2 client.
When this is set up correctly you should be able to connect to the API gateway, but you will probably want your Cloud Run service to be locked down, to prevent the gateway from being bypassed. As you mentioned, the permission required to do this is included in the "Cloud Run Invoker" role, this needs to be granted to the gateway's service account on the Cloud Run service one of its containing resources (e.g. project, folder, organization).
I would suggest running the following commands to confirm/check the settings again :
Verify URL and API config in the gateway: gcloud api-gateway gateways describe $GATEWAY --location $REGION
Verify gateway config service account and backend URL (in base64 encoded document.contents): gcloud api-gateway api-configs describe --api $API $API_CONFIG --view FULL
Verify permission on Cloud Run service : gcloud run services --region $REGION get-iam-policy $SERVICE

Using AWS Cognito InitiateAuth action for app client with Azure AD SAML Identity Provider

We have a User Pool set up in AWS Cognito for which we have also set up Azure AD as a SAML Identity provider for one of the app clients
The authentication flow works as expected via the Hosted UI of this app client, with redirection to the IdP for authentication and generation of token following successful authentication against the IdP and redirection back to Cognito.
For app clients that are not using an Identity Provider we are able to use the InitiateAuth action (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) with an AuthFlow of USER_PASSWORD_AUTH to allow users to authenticate and obtain tokens.
However, when we try and use the InitiateAuth action with the app client that is configured with the IdP, and use the the username automatically created by Cognito in the user pool (which by default is <IdentityProviderName>_<UsernameOfUserOnIdP> e.g. AzureAD_matthew#domain.com) and the same USER_PASSWORD_AUTH as AuthFlow we get a NotAuthorizedException. So the following request:
{
"AuthParameters": {
"USERNAME": "AzureAD_matthew#domain.com",
"PASSWORD": "XXXXXX"
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "XXXXXXXXX"
}
is giving as this response:
{
"__type": "NotAuthorizedException",
"message": "Incorrect username or password."
}
Is it possible to use the InitiateAuth action for app clients that are linked to a SAML identity provider?
Thanks