I am trying to create destination for the SP API notification. I have already changed to permission policy my AWS queue to grant create messages and read message attributes permissions.
I am using STS credentials to sign the request in postman. This request is supposed to be a grantless operation, so ideally it shouldn't ask for access token. Please help me understand what could I possibly be doing wrong.
Request in Postman:
POST /notifications/v1/destinations HTTP/1.1
Host: sellingpartnerapi-eu.amazon.com
X-Amz-Content-Sha256: beaead3198f7da1e70d03ab969765e0821b24fc913697e929e726aeaebf0eba3
X-Amz-Security-Token: FwoGZXIvYXdzEHMaDI8z8g0xqn42DSi0ISKoAXEp97wFc6YYdaSZ9txcAswRRsRjZ32d++T4APe/rLIL1rDfq9A2c2KYuLsF8+9F/N7brZarJQymqFnQ57JcGugxK6Npg5o/UQjNhvnI0EUAIqTptb/bXLXnmz7I2K2lhGKgV7PEkqAQlX/iYGI5RoNN0wK1QE3IY3T1miyRLF40PGNHt16WQaZPTXsMfG6OvaFuMa/ijchvnQ+3KP9Hs62vVZoxeC0G3ii7rtyYBjItb1Ltu7wcpzAXRO6W/BZWWqNN28V2ZS+e0qiYryYtgdnv0Ov9KBDBJFWKplxu
X-Amz-Date: 20220906T100237Z
Authorization: AWS4-HMAC-SHA256 Credential=ASIA4RJ32PS7YHU6JTGP/20220906/eu-west-1/execute-api/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=2c0c3727088ffa984f181c38c89afe305840cc0058cada48480c3103f5c544fa
Content-Type: application/json
Content-Length: 170
{
"name": "SaralDestination",
"resourceSpecification":
{
"sqs":
{
"arn": "arn:aws:sqs:eu-west-1:861803281599:SPNotificationQueue"
}
}
}
Response:
{
"errors": [
{
"message": "Access to requested resource is denied.",
"code": "Unauthorized",
"details": "Access token is missing in the request header."
}
]
}
Gotta do a post request to: https://api.amazon.com/auth/o2/token
And then include in the headers as
x-amz-access-token the access_token (starting with Atza)
We are currently seeing an issue in terraform pipelines running in GKE pods where the datasource internally calling the cloudbilling.googleapis.com returns "Your client does not have permission to get URL".
We have added the serviceaccount to the billing account with Billing Account Viewer permission but still seeing the same behaviour(The service account has all other required permissions). A simple curl request to the cloud billing API also returns the same error and we observed this error in GKE Pod & GCP VM as well.
Previously we were running the terraform code using cloud build private worker pools and were able to access all the API's without any issues.
Request to the API without the authentication header(observed the same behaviour with auth token as well)
root#istio-ingressgateway-5944b79fdc-9fp67:/# curl https://cloudbilling.googleapis.com/v1/projects/test-projet/billingInfo
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 403 (Forbidden)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}#media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}#media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}#media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>403.</b> <ins>That’s an error.</ins>
<p>Your client does not have permission to get URL <code>/v1/projects/test-project/billingInfo</code> from this server. <ins>That’s all we know.</ins>
Calls to other API's are working as expected
root#istio-ingressgateway-5944b79fdc-9fp67:/# curl https://monitoring.googleapis.com/v3/projects/test-project/notificationChannels/6321545542211742323
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.monitoring.v3.NotificationChannelService.GetNotificationChannel",
"service": "monitoring.googleapis.com"
}
}
]
}
}
root#istio-ingressgateway-5944b79fdc-9fp67:/#
We are using VPC SC and Google private access is enabled on the subnets. Did anyone face this issue and what is the recommended steps/config to resolve this?
We are able to resolve this issue after configuring the cloud DNS response policy for cloudbilling.googleapis.com, The previous private google access setup used the restricted.googleapis.com which is not supporting cloudbilling.googleapis.com.
We had to remove the private zone setup for the google private access and configure response policies for cloudbilling.googleapis.com and *.googleapis.com
Attached are the screenshots of the response policy configuration and the setup additional response policy rules for the API's that are not covered under SC.
Note: The terraform google_dns_response_policy_rule is currently not supporting passthrough behaviour so had to use the localdata, you can able to use passthrough behaviour for the API's once this issue is fixed https://github.com/hashicorp/terraform-provider-google/issues/11193
we encounter a blocking error during the validation of a JWT token by the gateway.
We are testing an integration environment using two docker containers on two different virtual machines. The first vm contains the APIM 3.0.0 and the second contains the IS 5.9 as Key Manager. The IS is federated with Azure AD.
We obtain a well-formed JWT token by IS with user data from Azure, but the APIM couldn't find a public certificate to verify signature with the given alias. Both wso2 components have their own client-truststore.jks updated with re-created public certificate (we replaced localhost with the public IP of the vms).
Following some useful details:
This is the error in the log of the APIM container:
[2020-01-30 15:20:00,072] WARN - SourceHandler I/O error: Received fatal alert: certificate_unknown
[2020-01-30 15:20:00,404] ERROR - GatewayUtils Couldn't find a public certificate to verify signature with alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256
[2020-01-30 15:20:00,405] ERROR - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Unclassified Authentication Failure
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody42(APIAuthenticationHandler.java:433) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:413) ~[org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody36(APIAuthenticationHandler.java:349) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:320) [org.wso2.carbon.apimgt.gateway_6.5.349.jar:?]
at org.apache.synapse.rest.API.process(API.java:366) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.apiProcessNonDefaultStrategy(RESTRequestHandler.java:149) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:95) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98) [synapse-core_2.1.7.wso2v131.jar:2.1.7-wso2v131]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) [axis2_1.6.1.wso2v38.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:412) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181) [synapse-nhttp-transport_2.1.7.wso2v131.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) [axis2_1.6.1.wso2v38.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
Those are the keys provided by https://my_is_ip:my_port/oauth2/jwks:
{
"keys":[
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
},
{
"kty":"RSA",
"e":"AQAB",
"use":"sig",
"kid":"ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg":"RS256",
"n":"nwcvFrmKaAV3WLgNaronqMHZB5BK7czaRwaKAyM0PTR1KzSa3DJw3CtLtcyz6zvU72JmgFMRyu65H_ly51bCOI6UrpJrKs9bW50fVgjrlqAkCHYIP81s6YgmmLJ-LVZqhAN8g8FH_3b27zbzZ6crspaDmFjSfou4t_A6UTSvQRFbCzp9i5WmQLRHHDy74v9zJWeXCSVA9CknXV4dqpPGMVjJOQzmcaRmZs_rWpdasQUul-D59pY22FrtIziZDLVTerGDGir_dJJboFCzS_DXRch44NJk3cU4lrCcsAP2RXyNhVjJPgmilEnr1aRnxY-WNm_5QKGh37Ez8dLJVVw6LQ"
}
]
}
This is the result of postman call:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Unclassified Authentication Failure</ams:description>
</ams:fault>
This is the JWT token:
HEADER
{
"x5t": "ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA",
"kid": "ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256",
"alg": "RS256"
}
PAYLOAD
{
"at_hash": "hGnuod6ShKRrlkH_P-k4QA",
"sub": "d6206844-e54b-4ec2-8ace-26b46da24df2",
"ver": "1.0",
"richAccettazionePrivacy": "***************",
"iss": "https://***************:9443/oauth2/token",
"given_name": "***************",
"richAttivazioneCarta": "***************",
"tid": "962b4d1f-a68b-433e-aa78-265ef05d1047",
"aud": [
"dSdZgafomIsRXYQr6XyxIZyjp74a",
"***************"
],
"nbf": 1580399831,
"azp": "dSdZgafomIsRXYQr6XyxIZyjp74a",
"extension_codiceFiscale": "***************",
"scope": "openid",
"auth_time": "1580399827",
"name": "***************",
"exp": 1580403431,
"iat": 1580399831,
"personaId": "***************",
"family_name": "***************",
"jti": "c3b8c9bf-029c-4e51-8969-07f898e5654f",
"email": "***************"
}
how to solve this problem?
The public certificate of the private key that is used to sign the
tokens should be added to the trust store under the
"gateway_certificate_alias" alias. For more information, see Import
the public certificate into the client trust store.
Ref: https://apim.docs.wso2.com/en/3.0.0/Learn/APISecurity/OAuth2/AccessTokenTypes/jwt-tokens/
we solved adding the Identity Server public certificate to the Api Manager client-truststore with alias equal to Kid present in the token header.
As you can see there is no public certificate for alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256. What you can do is
Navigate to the IS_HOME/repository/resources/security/ directory.
keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks run this code in that directory. password is wso2carbon.
This will create a copy of wsp2carbon certificate copy.
keytool -import -trustcacerts -keystore client-truststore.jks -alias ZDgzMWM0MTU3NGI3ODkyYTVkN2Q2N2NmYzI5ZWU4ZjcxYTcyYzlkZA_RS256 -file wso2.crt run this code in API-M_HOME/repository/resources/security/to add wso2carbon public key to trust store.
When trying to add high availability on an existing Cloud SQL instance using:
gcloud sql instances patch $INSTANCE --project $PROJECT --availability-type regional
the process fails with this message
The following message will be used for the patch API method.
{"project": "$PROJECT", "name": "$INSTANCE", "settings": {"availabilityType": "REGIONAL", "databaseFlags": [{"name": "sql_mode", "value": "TRADITIONAL"}, {"name": "default_time_zone", "value": "+01:00"}]}}
ERROR: (gcloud.sql.instances.patch) HTTPError 400: The incoming request contained invalid data.
It also fails using the web interface.
Gcloud version Google Cloud SDK [280.0.0]
This is the output of the log (not much help that I can see):
2020-02-14 11:01:34,476 DEBUG root Loaded Command Group: [u'gcloud', u'sql', u'instances']
2020-02-14 11:01:34,510 DEBUG root Loaded Command Group: [u'gcloud', u'sql', u'instances', u'patch']
2020-02-14 11:01:34,517 DEBUG root Running [gcloud.sql.instances.patch] with arguments: [--availability-type: "regional", --project: "$PROJECT", INSTANCE: "$INSTANCE"]
2020-02-14 11:01:35,388 INFO ___FILE_ONLY___ The following message will be used for the patch API method.
2020-02-14 11:01:35,398 INFO ___FILE_ONLY___ {"project": "$PROJECT", "name": "$INSTANCE", "settings": {"availabilityType": "REGIONAL", "databaseFlags": [{"name": "sql_mode", "value": "TRADITIONAL"}, {"name": "default_time_zone", "value": "+01:00"}]}}
2020-02-14 11:01:35,865 DEBUG root (gcloud.sql.instances.patch) HTTPError 400: The incoming request contained invalid data.
Traceback (most recent call last):
File "C:\Users\udAL\AppData\Local\Google\Cloud SDK\google-cloud-sdk\lib\googlecloudsdk\calliope\cli.py", line 981, in Execute
resources = calliope_command.Run(cli=self, args=args)
File "C:\Users\udAL\AppData\Local\Google\Cloud SDK\google-cloud-sdk\lib\googlecloudsdk\calliope\backend.py", line 807, in Run
resources = command_instance.Run(args)
File "C:\Users\udAL\AppData\Local\Google\Cloud SDK\google-cloud-sdk\lib\surface\sql\instances\patch.py", line 306, in Run
return RunBasePatchCommand(args, self.ReleaseTrack())
File "C:\Users\udAL\AppData\Local\Google\Cloud SDK\google-cloud-sdk\lib\surface\sql\instances\patch.py", line 278, in RunBasePatchCommand
instance=instance_ref.instance))
File "C:\Users\udAL\AppData\Local\Google\Cloud SDK\google-cloud-sdk\lib\googlecloudsdk\third_party\apis\sql\v1beta4\sql_v1beta4_client.py", line 697, in Patch
config, request, global_params=global_params)
File "C:\Users\udAL\AppData\Local\Google\Cloud SDK\google-cloud-sdk\bin\..\lib\third_party\apitools\base\py\base_api.py", line 731, in _RunMethod
return self.ProcessHttpResponse(method_config, http_response, request)
File "C:\Users\udAL\AppData\Local\Google\Cloud SDK\google-cloud-sdk\bin\..\lib\third_party\apitools\base\py\base_api.py", line 737, in ProcessHttpResponse
self.__ProcessHttpResponse(method_config, http_response, request))
File "C:\Users\udAL\AppData\Local\Google\Cloud SDK\google-cloud-sdk\bin\..\lib\third_party\apitools\base\py\base_api.py", line 604, in __ProcessHttpResponse
http_response, method_config=method_config, request=request)
HttpBadRequestError: HttpError accessing <https://sqladmin.googleapis.com/sql/v1beta4/projects/$PROJECT/instances/$INSTANCE?alt=json>: response: <{'status': '400', 'content-length': '269', 'x-xss-protection': '0', 'x-content-type-options': 'nosniff', 'transfer-encoding': 'chunked', 'vary': 'Origin, X-Origin, Referer', 'server': 'ESF', '-content-encoding': 'gzip', 'cache-control': 'private', 'date': 'Fri, 14 Feb 2020 10:01:35 GMT', 'x-frame-options': 'SAMEORIGIN', 'alt-svc': 'quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000', 'content-type': 'application/json; charset=UTF-8'}>, content <{
"error": {
"code": 400,
"message": "The incoming request contained invalid data.",
"errors": [
{
"message": "The incoming request contained invalid data.",
"domain": "global",
"reason": "invalidRequest"
}
]
}
}
>
2020-02-14 11:01:35,868 ERROR root (gcloud.sql.instances.patch) HTTPError 400: The incoming request contained invalid data.
2020-02-14 11:01:35,898 DEBUG root Metrics reporting process started...
Edit:
When using the gcloud cli command:
gcloud patch with 3 input parameters
Both $PROJECT and $INSTANCE do exist since I can gcloud sql databases list --instance $INSTANCE --project $PROJECT and it works fine.
availability-type=regional it's documented so should work
I'm not constructing the request manually, I'm using gcloud CLI
When using the console.cloud.google.com web interface:
Main menu -> SQL -> select instance -> Enable High Availability.
It's a button, no parameters added by myself.
Both return the same error "The incoming request contained invalid data."
Can't see how I may be doing it wrong.
Please check your data in the incoming request.
I used the Method: instances.patch and it worked as expected for me.
project
instance-name
request body:
"settings": {
"availabilityType": "REGIONAL",
"databaseFlags": [
{
"name": "sql_mode",
"value": "TRADITIONAL"
},
{
"name": "default_time_zone",
"value": "+01:00"
}
]
}
}
Curl command:
'https://sqladmin.googleapis.com/sql/v1beta4/projects/your-project/instances/your_instancet?key=[YOUR_API_KEY]' \
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{"settings":{"availabilityType":"REGIONAL","databaseFlags":[{"name":"sql_mode","value":"TRADITIONAL"},{"name":"default_time_zone","value":"+01:00"}]}}' \
--compressed```
Response 200:
{
"kind": "sql#operation",
"targetLink": "https://content-sqladmin.googleapis.com/sql/v1beta4/projects/your-project/instances/your-instance",
"status": "PENDING",
"user": "#cloud.com",
"insertTime": "2020-02-14T12:35:37.615Z",
"operationType": "UPDATE",
"name": "3f55c1be-97b5-4d37-8d1f-15cb61b4c6cc",
"targetId": "your-instance",
"selfLink": "https://content-sqladmin.googleapis.com/sql/v1beta4/projects/wave25-vladoi/operations/3f55c1be-97b5-4d37-8d1f-15cb61b4c6cc",
"targetProject": "your-project"
}
I am working on an ember app ( Ember 2.11.0 ). Here is my content security policy settings:
contentSecurityPolicy: {
'default-src': "'none'",
'script-src': "'self'",
'font-src': "'self'",
'connect-src': "'self' 'localhost:4200' 'some-url'",
'img-src': "'self'",
'style-src': "'self' *",
'media-src': "'self'"
}
I am getting the following error when I try to make the following XMLHttpRequest:
XMLHttpRequest cannot load url-to-sccess. No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:4200' is therefore not allowed
access.
Any suggestions?