What are the permissions required by a role in the Identity server to be able to access the SCIM apis? Can you point me to any docs?
Here is the list of permissions.
Ref: https://docs.wso2.com/display/IS560/SCIM+2.0+REST+APIs
Related
I am trying to generate signedJWT token for google service account
now = int(time.time())
expires = now + 900 # 15 mins in seconds, can't be longer.
payload = {
'iat': now,
'exp': expires,
'sub': 'somekey#someproject.iam.gserviceaccount.com',
'aud': 'aud'
}
body = {'payload': json.dumps(payload)}
name = 'projects/someproject/serviceAccounts/somekey#someproject.iam.gserviceaccount.com'
iam = googleapiclient.discovery.build('iam', 'v1', credentials=credentials)
request = iam.projects().serviceAccounts().signJwt(name=name, body=body)
resp = request.execute()
jwt = resp['signedJwt']
The problem I am facing is regarding credentials
If I use
credentials = service_account.Credentials.from_service_account_info(gcp_json_credentials_dict)
works fine.
But I am trying to use default service account
credentials, your_project_id = google.auth.default(scopes=["https://www.googleapis.com/auth/cloud-platform"])
Getting following error -
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://iam.googleapis.com/v1/projects/someproject/serviceAccounts/somekey#someproject.iam.gserviceaccount.com:signJwt?alt=json returned "Permission iam.serviceAccounts.signJwt is required to perform this operation on service account
First, I will try to explain why you are getting the error:
permission iam.serviceAccounts.signJwt is required to perform this operation on service account.
A) Your code is running on a compute service using the default service account. I will call this Identity-1.
B) Your code is impersonating the identity somekey#someproject.iam.gserviceaccount.com. I will call this Identity-2.
Your code needs permissions to use the credentials of Identity-1 and the rights to impersonate Identity-2.
Part 1:
When you use the default service account for a compute service or assign a service account to a compute service, two forms of permission control are in effect. The master control is the IAM roles assigned to the service account. The limiter is the ** OAuth scopes** set for the compute service.
The OAuth scopes do not grant permissions, the OAuth scopes limit permissions already granted to the service account via IAM roles. This is an important point that I see so many configure incorrectly. I recommend using the compute engine Access scopes set to Allow full access to all Cloud APIs. Then modify/manage the IAM roles assigned to the service account assigned to Compute Engine.
Part 2:
In order to impersonate another identity, in your case Identity-1 is impersonating Identity-2, your code must have the right to do so. There are two types of identities that can be impersonated: a) service accounts; b) user identities. In your case, you are impersonating another service account.
If you are impersonating a service account, that requires granting the correct IAM permission via an IAM role on Identity-2 with the member set to Identity-1. Think of it this way: Identity-2 must grant permission to Identity-1.
If you are impersonating a user identity, that requires setting up Google Workspace Domain-Wide Delegation of Authority. The account that you are impersonating must be managed by Google Workspace. Refer to Google Workspace Domain-Wide Delegation of Authority is set up user account impersonation which is not required in your case.
Now you might wonder, which identity needs the right to impersonate? The identity that the JWT represents. That identity is declared by the JWT claim iss. Your JWT does not include an iss claim. For more details an example see this link. The identity that you are impersonating is specified by the claim sub. In OAuth speak iss is impersonating sub.
Part 3:
You must also configure your Google Cloud Project to support your objective. This requires enabling two APIs:
iamcredentials.googleapis.com
cloudresourcemanager.googleapis.com
Solution:
Enable the required APIs:
gcloud services enable iamcredentials.googleapis.com
gcloud services enable cloudresourcemanager.googleapis.com
Set the Compute Engine Access Scopes to Allow full access to all Cloud APIs. This requires shutting down the VM and editing the VM configuration.
Add the iss claim to the JWT that you are creating with the value Identity-1.
Grant an IAM Role containing the permission iam.serviceAccounts.signJwt. A good role to use is Service Account Token Creator to Identity-2. See this link for more details.
Example command:
gcloud iam service-accounts add-iam-policy-binding [Identity-2] \
--member serviceAccount:[Identity-1\ \
--role roles/iam.serviceAccountTokenCreator
I want to configure AWS SSO to access EKS with Azure AD. However, I want to have two access types i.e. Read only and Admin.
You will have to map the AD groups to AWS IAM roles via AWS SSO AssumedRoles. We will then use Kubernetes configMaps and roles to map the associated IAM roles to Kubernetes RBAC roles. This will be done by leveraging the open source AWS IAM Authenticator to pass an IAM identity from kubectl.
In the below example, users in the AWS-EKS-Admins group have full access to the EKS cluster (similar to the permissions assigned to the default cluster-admin role within Kubernetes) and users in the AWS-EKS-Dev group have readOnly access to certain Kubernetes resources. The mapping is summarized in the table below:
AWS EKS Permission mapping
Please refer the below aws documentation link for more reference: -
https://aws.amazon.com/blogs/opensource/integrating-ldap-ad-users-kubernetes-rbac-aws-iam-authenticator-project/
Thanking you,
I have created a EC2 instance, which creates by default service account with default permissions. So when I checked the default permissions I found that the service account is all these permissions below.
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/trace.append
Now I tried to list all the objects inside the bucket by using the command:-
gsutil ls gs://mybucketname
Found an error
AccessDeniedException: 403 XXXX#developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket.
Why I am getting this error even though my service account user is having devstorage.read_only?
And I am very new to GCP here, so let me know.
Please read the official documentation regarding the difference between setting the service account level of access with IAM roles and setting the GCE instance's access scopes:
Service account permissions
When you set up an instance to run as a service account, you determine
the level of access the service account has by the IAM roles that you
grant to the service account. If the service account has no IAM roles,
then no API methods can be run by the service account on that
instance.
Furthermore, an instance's access scopes determine the default OAuth
scopes for requests made through the gcloud tool and client libraries
on the instance. As a result, access scopes potentially further
limit access to API methods when authenticating through OAuth. However, they do not extend to other authentication protocols like
gRPC.
Essentially:
IAM restricts access to APIs based on the IAM roles that are granted
to the service account.
Access scopes potentially further limit
access to API methods when authenticating through OAuth.
Therefore I would recomend to add an IAM role with storage.objects.list permission to your instance service account (maybe roles/storage.legacyBucketReader).
We are planning to use AWS WebIdentityFederation for a single page application.
I have created OIDC provider, which is an external ADFS and created a WebIdentityFederation assumed role. I am able to generate id_token through ADFS. In this id_token, I have added Role claim, which is AD Groups (I can change to AWS Role ARNs if needed) and then generate temporary STS tokens from AWS STS API.
However, it looks like, AWS WebIdentityFederation role doesn't validate any role claim inside id_token, like AWS does for SAML federation. This creates a authorization question, if an user have valid id_token, they can assume any WebIdentityFederation role.
For example: If I have two WebIdentityFederation roles READONLY and ADMIN, then an user with a valid id_token can assume READONLY and ADMIN both, even if in id_token user has READONLY role.
Is there any way to validate role or any other custom claims present in id_token? Can it be done through Trust Policy conditions?
According to the offical AWS documentation, IAM Roles can also be attached to IAM Users, and not only services.
What would be a valid use case to assign an IAM Role to an IAM User?
Aren't all the cases covered by directly granting (allow/deny) IAM Policies to the users?
TBH my initial impression was thar IAM Roles served the purpose of authorization for the AWS services (so that they can interact with other services), since the latter cannot be addressed in the User context
As you clearly understood, AWS Roles serves the purpose of authentication (with IAM policies for authorization) for AWS services. In contrast, AWS IAM users directly maps towards human user who obtains credentials to login to the AWS Management Console.
However, when granting access to an User outside the AWS Account (e.g; Cross Account Access, AD Authentication Federation) it will require an IAM Role to Assume the permission.
Referring to the documentation you shared, its not a direct IAM User who is getting permission, rather an Active Directory user (External) assuming an IAM Role (Not direct IAM User) to get access to the AWS Resources.
It is an IAM best practice is to assign Roles to AWS users from other AWS accounts in order to delegate permissions. This is to avoid sharing credentials between AWS accounts.
I also wanted to point out, your initial impression about Roles as authorization is not correct. The only IAM resource that is considered authorization are IAM Policies.
This can be seen in the AWS documentation on Understanding IAM and in the following AWS training video: Authentication and Authorization with AWS Identity and Access Management (login required)
The other three basic IAM resources: Users, Groups and Roles are considered part of Authentication.