Connecting to VPC-based Kibana using AWS Cognito - amazon-web-services

I'm a beginner to AWS and a bit confused regarding the AWS Cognito system.
I have an AWS Elasticsearch service behind a VPC. I'm trying to access the Kibana endpoint using AWS Cognito, but when I navigate to the log in screen I see a blank page.
Is what I'm trying to do feasible or do I need to VPN first into the VPC in order to get to the log in screen? If so, how can I grant public users access to Kibana (without the trouble of a VPN?) Would a better solution be to have a reverse proxy point to Kibana and couple this with AWS Cognito? Thanks for your help.
Note: I'm using Elasticsearch 6.2

I had the same output while I was setting up the same setup but don't remember exactly which stage solved it.
At this stage it looks like you already set your access policy to use the Cognito role otherwise you wouldn't end up on the cognito login page (even though blank for now).
I would check the identity provider config on the Cognito User Pool App client settings:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html#es-cognito-auth-identity-providers
It wasn't linked to a lack of access (ie. no VPN) or a missing UI customization and it's definitely achievable.
Let me know if you want me to look deeper into it.
EDIT: when i go directly to the domain url of my cognito pool (ie. https://yourdomain.auth.your-region.amazoncognito.com) I still get a blank page. It's only when going to the protected application (kibana) that the login page is filled in (probably linked to the above app client settings).

I created a wiki page in my GitHub Repo because I did this EXACT (Public ESS and Cognito) same thing over the last couple days. You can get the info HERE and I hope it helps clear things up!

Related

Unable to protect Cloud Run with cloud.run.invoker permission

I have deployed a simple Cloud Run service with Flask and I want to limit the access to logged users in GCP only.
I have set the "Require authentication" option and added the cloud.run.invoker permission to myself, but I can't access the webserver.
However, if I make a curl request with the Authorization Bearer in it, I can see the HTML of the page. What am I missing in order to see the page in the explorer? I know you could do this with a load balancer but I prefer not to.
My objective is to allow GCP logged users to access a page hosted in Cloud Run
For this to work from the browser directly, you'll need to have an extension or something similar that will modify the HTTP request to add the header - much alike to what you're achieving with curl. This extension may be useful for your use-case.
This is mentioned in GCP documentation right here, just at the bottom of the page.
However this is not ideal, and if you want to authenticate any user coming in from GCP (i.e an internal user), refer to this doc. You can make use of Identity Aware Proxy to create an internal app that any user logged in and given permissions through GCP is going to be able to access.

okta deep link to page in AWS Console

I'm using okta as my identity provider to get access to my aws accounts. I can get links to log in to the default console page with the different roles which I have set up.
I want to be able to create deep links to specific pages in the aws console. For example a deep link to a cloudwatch dashboard for a specific account and role. Anyone with the appropriate permissions in okta should be able to use this link to go directly to that page.
Is there an integration that provides this out of the box? Any docs that can help me set this up?
I initially thought this would be something super common and easy... All I have found is this blog post with expired links https://aws.amazon.com/blogs/security/how-to-use-saml-to-automatically-direct-federated-users-to-a-specific-aws-management-console-page/
You should be able to put your AWS console URL as urlEncoded_RelayState in the following:
https://{{oktaDomain}}/sso/idps/{{idpId}}?fromURI={{urlEncoded_IDPLoginURL?RelayState={{urlEncoded_RelayState}}}}
https://support.okta.com/help/s/article/SSO-into-SAML-app-with-RelayState-via-OpenID-Connect-Identity-Provider?language=en_US

Access Cloud Run URL for GCP authenticated users

Using IAM, is there any simple way to let a GCP console logged in user to access a Cloud Run URL?
The idea here is to have a lightweight way to protect the access to some URLs for people who are already logged in to the console.
So I don't want the world to have access, only my GCP users.
It seems that the options are either:
Setup IAP for Cloud Run => costly (load balancer) and not exactly simple
Setup the container to require authentication, generate a token from the console, use a browser extension and inject the said token on each request.
Note: I tried to setup a container as allowing non authenticated calls but removing the allUsers principal from the Invoker role and stick to a particular email address. The URL ended up still being available to non authenticated browsers.
Seems like a very simple use case but unless I am missing something, the options are all over-the-top.
Thanks,
Maybe this might work for you (don't necessarily know if it's the best architecture)
Deploy cloud run and ONLY allow for aunthenticated invocation
Create a very simple GAE project. Add login: required to app.yaml so that anyone trying to load the app is forced to login
Your GAE code can then invoke the cloud run endpoint. Your code will generate a token and include it as a header when making the call to the cloud run endpoint. See this documentation

AWS Federated User - multiple aws accounts?

I'm not sure wether or not this is possible. We have a couple of different Amazon Web Service Accounts, in this case let us just call them:
Test environment 1
Test environment 2
Production environment
I really want to manage as much as possible with our google accounts. Let us say, as a developer i have access to all three accounts in AWS, and i want to be able to access all these accounts with this one mail. (is this even possible?).
I have tried following this guide: https://wheniwork.engineering/how-to-setup-google-sso-and-aws-4496f054a707
The saml login with google works just fine, but im not really sure how i can change accounts while logged in?
I would love for it to show all organizations that i have access to, and change between them
What you are looking for is already provided by the AWS and it's called 'AWS Landing Zone'
Using Landing Zone, you can spin up multiple AWS accounts, and log in using one credential (Ex: your existing AD credentials)
SSO
Accounts
If you are new to this, I suggest looking at this AWS Tutorial to get an idea about it.

API credentials as federated aws user?

my company provides me with a federated access to AWS. By that I mean, we're going to a website where we login with our SSO which then allows us to pull up the AWS console (i.e. through as custom federation broker as described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
I can create instances (ec2) just fine through the UI. My question is, how can I get API credentials to use with aws cli?
In the IAM dashboard I don't see an option to create a credential set for myself.
Is this even something I can get to, or do they (=my it people) need to change something in the setup?
Thanks a bunch!
ps. to clarify, this we're not going through onelogin
You can create a program to do this leveraging your credentials, your SSO config, and boto3.
Alternatively, I use this google chrome plugin: https://github.com/prolane/samltoawsstskeys/blob/master/README.md
Atlassian also released a tool recently to help solve this problem, and there are some other ones out there if you do some searching.