I want to connect a HTTP device to IoT core.
I have tried this with the curl command all goes well.
Now I want to try to use POST with signatyure version 4
I'm using postmand to send a POST request, but I got this output:
"message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.",
In authorization fields I have chosen "AWS Signature" and I have completed all of them: access and secret key, aws region and service name=iotdata
I want to get the same results as when I use the curl command:
curl --tlsv1.2 --cacert YY.pem --cert XX.pem.crt --key ZZ.pem.key -X POST -d "{ \"Trama\": \"message\"}" "https://PPPPPP.iot.eu-west-1.amazonaws.com:8443/topics/topicname?qos=1"
The problem here is that both of your commands are a little different, because of the various ways you can send data to AWS IoT.
In the curl command you're actually using x.509 certificate approach (you can see here for further information: https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html) This doesn't need the payload to be signed, it's already trusted because the certificate is.
This approach is mostly unique to AWS IoT, because the aim is that the data comes from lots of devices- and you wouldn't want to give them all an IAM Role. In fact, certificate is the recommended way to send data from a device.
You can use these certificates with Postman if you want, by adding them to the request under certificates tab (you only need the .crt and .key files). See https://www.getpostman.com/docs/v6/postman/sending_api_requests/certificates for more detailed instructions.
You still can use AWS v4 signatures (https://docs.aws.amazon.com/iot/latest/developerguide/iam-users-groups-roles.html) so the suggestion is that you're not forming the request properly.
Looking at this documentation (https://docs.aws.amazon.com/iot/latest/apireference/API_iotdata_Publish.html) you should be using:
Method: POST
Uri: <AWS IoT Endpoint>/<url_encoded_topic_name>?qos=1 (e.g. https://a1pn10j0v8htvw.iot.us-east-1.amazonaws.com:8443/topics/iotbutton/virtualButton?qos=1)
Authorisation Type: AWS Signature
AccessKey / SecretKey: As per your credentials
AWS Region: Region you AWS IoT instances is in
Service Name: iotdata
Session Token: Leave blank
Related
I am using AWS sagemaker, and I have created an endpoint. I want to test endpoint on postman app. I give endpoint URL and JSON body to postman app. But I get this error that "message": "Missing Authentication Token" I need to know from where I 'll get bearer token so that I can give it to postman app.
I am answering my own question after searching and reading forums,
The easiest way to get bearer token is to install AWS CLI and configure it, using aws configure command.
For configuring, we must need to know access key, secret key, region of user. These things can be get by AWS users section.
After configuration by running this command, aws ecr get-authorization-token, we can get authorizationToken. here This token can be fed into bearer token, along with aws signature (access key and secret key) in authorization menu in Postman app.
I am trying to get a session token for the given IAM in postman but not able to receive a token.
If I use boto3.client('sts'), I am able to get the token.
Use Case: I am trying to Invoke VPC Rest Endpoint from EC2 instance where ServiceNow mid-server instance is running. Since we have ServiceNow mid-server agent running on EC2 instance, I want to use IAM Role attached to EC2 to authenticate other VPC endpoints that are deployed in the same AWS account.
I have permission policy attached to IAM Role to allow Assume Role policy. If there any other approach, please suggest.
here HTML HTML response in postman. Postman redirecting to IAM Docs
client = boto3.client('sts')
response = client.assume_role(
RoleArn='arn:aws:iam::**************:role/ServiceNow-midserver-Role',
RoleSessionName='Session1',
DurationSeconds=3600
)
print(response)
anything wrong with postman request body or endpoint.
Authentication on postman is none.
To call AssumeRole from Postman (or curl etc.) as opposed to using a supported AWS SDK, you should follow the AssumeRole API documentation. You will also need to authenticate using AWS credentials.
Specifically, the request is an HTTP GET and parameters are passed as query strings, for example:
GET https://sts.amazonaws.com/
?Version=2011-06-15
&Action=AssumeRole
&RoleSessionName=stackoverflow-64706420
&RoleArn=arn:aws:iam::123456781234:role/myrole
&DurationSeconds=3600
Here's what this looks like in Postman:
And you will need to add AWS credentials so that your API request is signed correctly, for example:
Click 'Send' and the response will look something like this:
<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
<AssumedRoleUser>
<Arn>arn:aws:sts::123456781234:assumed-role/123456781234/stackoverflow-64706420</Arn>
<AssumedRoleId>ARO123EXAMPLE123:stackoverflow-64706420</AssumedRoleId>
</AssumedRoleUser>
<Credentials>
<AccessKeyId>ASIAIOSFODNN7EXAMPLE</AccessKeyId>
<SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
<SessionToken>
AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
</SessionToken>
<Expiration>2020-12-09T13:34:41Z</Expiration>
</Credentials>
<PackedPolicySize>6</PackedPolicySize>
</AssumeRoleResult>
<ResponseMetadata>
<RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
You need to use credentials for an IAM user or an IAM role to call AssumeRole. boto3 must be getting credentials from the standard locations it look for (like ~/.aws/config) [ref:https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html]. May be you could try providing the AWS creds in Authorization tab in Postman selecting type as AWS Signature and then call assumeRole.
Is it possible to use aws credentials on remote server without explicitly copying them?
For example I can use my local ssh key on server like ssh-add && ssh -A <server_name> is there something like this for aws cli without copying the ~/.aws/credentials and ~/.aws/config?
I want to use these aws credentials just to download some files from S3.
In order to SSH to a remote server, your public key must already be present on the remote server. Your tool uses the private key to encrypt communications. Therefore, your assumption that your credentials are not needed on the remote server is incorrect.
EC2 supports retrieving credentials from metadata. You could create an IAM role s3access and then assume that role inside EC2. You can even retrieve those credentials using the command line tool curl. Example:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
Example output:
{
"Code" : "Success",
"LastUpdated" : "2012-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "token",
"Expiration" : "2017-05-17T15:09:54Z"
}
Refer to this link for more information on metadata credentials.
You can also setup the CLI to automatically use metadata credentials. Refer to this link for more information.
If your goal is to have no credentials on the EC2 instance, then you will need to use Presigned URLs. Refer to this link for more information.
If all you want to do is download some files from S3, persigned URLs may be an easier and safer option. AWS allows you to generate URLs for any AWS API action that are only usable for a certain period of time. You can generate those URLs to your specific files, send them to your server, and have the server use them to download the files.
For example:
aws s3 presign s3://awsexamplebucket/test2.txt --expires-in 604800
All of the different frameworks like boto3 and aws-sdk also support generating URLs.
Another option is generating temporary credentials. AWS allows lets you create credentials that only for a certain period of time. It also allows you to limit their scope so you can ask that they only allow downloading from a specific bucket, for example. Using STS you will get a new set of access key and session token, send those to your server, and let your server use them to do what it needs to do.
If you want the token to have exactly the same credentials as the calling role, use:
aws sts get-session-token
Otherwise you will need to create a role with the appropriate permissions and use:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
Just like with presigned URLs, these APIs are available in every SDK and not just on the command line.
I've managed to successfull login to the API gateway I've made via my iOS device and Cognito. The problem is I'd like to use postman to test the API calls then implement them on the phone. Currently, Postman cannot authenticate (despite AWS saying it can). No matter what I do I get a 401 error (visible in the screen-shots)
What I've tried
Downloaded the postman collection from AWS Api Gateway
Then imported it into postman, and switch the authentication to "AWS Signature"
And Here is a screen shot of the Postman Generated Header Info
If I understand correctly, you are trying to call an API Gateway endpoint that is behind the built-in Cognito Authoriser.
I think you've misunderstood how you call an Cognito Authorised API Gateway:
Authorise against Cognito to get an id_token
Call API Gateway with the Authorization header set to id_token
Renew id_token every hour
By enabling ADMIN_NO_SRP_AUTH you're allowing the first step (sign-in to Cognito) to be simplified so that you can more easily do it manually. (If you hadn't, then you would need to do SRP calculations).
One way to get the id_token is to use the aws cli (further ways are shown in the documentation):
aws cognito-idp admin-initiate-auth --user-pool-id='[USER_POOL_ID]' --client-id='[CLIENT_ID]' --auth-flow=ADMIN_NO_SRP_AUTH --auth-parameters="USERNAME=[USERNAME],PASSWORD=[PASSWORD]"
You can then use the result (AuthenticationResult.IdToken) as the Authorization header in Postman (no need for the AWS v4 signature- that is only for IAM authentication).
n.b. a much fuller explanation with images can be found here.
Here is what I finally did to fix postman auth issues
1) Turned off App Client Secret in the Cognito pool.
2) Ran aws --region us-east-1 cognito-idp admin-initiate-auth --cli-input-json file://gettoken.json
JSON file example
{
"UserPoolId": "us-east-1_**********",
"ClientId": "******************",
"AuthFlow": "ADMIN_NO_SRP_AUTH",
"AuthParameters": {
"USERNAME": "*********",
"PASSWORD": "***********"
}
}
3) Went to Postman > Authorization > Bearer Copied the idToken value into the token field and everything worked.
NOTE: For those wondering if not using a secret client key is safe. See this article.
I was checking out a couple methods from amazon-api-gateway-developer-guide and I stumbled with api-gateway-export-api, I managed to get the AWSCLI command (aws apigateway get-export --parameters extensions='apigateway' --rest-api-id abcdefg123 --stage-name dev --export-type swagger latestswagger2.json --profile profile --region us-east-1) working by adding the --profile and --region parameters, but for whatever reason I can't get the Request URL to return the API definition response.
I am trying to do the following couple things (Postman):
GET request with the URL: https://apigateway.us-east-1.amazonaws.com/restapis/abcdefg123/stages/dev/exports/oas30
Add authorization type AWS-Signature to the request with all the
parameters filled (AccessKey, SecretKey, AWS Region,
Service Name and Session Token)
The Authorization, x-Amz-Date and x-Amz-Security token are generated successfully, as far as I can tell
I am also sending a the headers Host (apigateway.us-east-1.amazonaws.com) and Accept (application/yaml)
This results in the following error:
{"logref":"2734hu2r2873","message":"User:
arn:aws:sts::7216832187:assumed-role/DEVELOPER/xxxx is not authorized to perform:
apigateway:GET on resource:
arn:aws:apigateway:us-east-1::/restapis/abcdefg123 /stages/dev/exports/oas30"}
I was actually getting the same error with the AWSCLI command before I added the --profile and --region parameters. I already checked out a couple posts about issues like mine, this one is an example export swagger api definition from api gateway via http request?, but I am doing basically the same thing (sending the same headers, same host and URL) and getting this error. I don't think my access key, secret key, token or any of that information might be wrong... because it's the credentials I use for the AWSCLI command.
Thank you for the taking the time to read and/or reply to my post, I really appreciate any feedback in anything.
The point of trying to get this request to work is that I wanted to add it as an HTTP proxy to an API, unfortunately I couldn't get it to work.
My problem was that I have a couple profiles in my session and each one of them has different permissions, I found no way to specify the profile I wanted to use in the request and thus it caused the error mentioned above.
In the end I opted to write a Lambda function with proxy integration and everything went fine, after giving the lambda profile the apigateway:GET permission.
If I have a misconception about anything I wrote about or I am using a term in an incorrect way please correct me, I am still fairly new to AWS and have a lot to learn!