I have created an api gateway with AWS_IAM authentication. I need to access that api gateway so created one user with giving AmazonAPIGatewayInvokeFullAccess policy to that user.
but i am not able to call that api. Getting error as
"user arn:aws:iam::######:user/username is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:region:####:#####/stage/method/path"
Where as when i go to aws console and try to simulate that policy it is allowing me to invoke that api.
I tried https://www.youtube.com/watch?v=KXyATZctkmQ . But its not working. Please let me know if anyone has gone through it and tried something to solve this before. Thanks
Related
We are integrating the Role Assignments - List API from Microsoft Azure Cloud Management APIs, Link to documentation: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/list#errordetail
We have done all of the configs mentioned:
Registered a multi-tenant web app with Azure Active Directory for OAuth using App Registrations option,
Also enabled the https://management.azure.com/user_impersonation scope under Azure Service Management
Same scope is requested by the web app
So far OAuth succeeds but the access token received when used to call an API GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01 it fails with 401 Unauthorized error. I have replaced the subscriptionId with the appropriate value while making actual call.
I looked at the details of access token using https://jwt.io/ and the scp element only seems to have "scp": "User.Read" scope, Missing the user_impersonation. Though the AUTH dialog from Microsoft login service shows clearly the requested user_impersonation grant. The user account I am using for the OAuth has access to the given azure subscription.
What might be the problem?
It's important to add scope with https://management.azure.com/user_impersonation when requesting for an access token.
Test using implicit grant flow in browser:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?
client_id=<your-app-id>
&response_type=token
&redirect_uri=<your-redirect_uri>
&scope=https://management.azure.com/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910
Note: If you use client credentials flow, change scope to https://management.azure.com/.default.
We are experiencing problems with Authentication of Service Accounts for domain-wide delegation.
The main problem is it's hard to investigate and debug the auth configuration so
we would like to ask for some tips how to debug the configuration.
Or maybe we are missing some configuration options and you can point us to them.
Our process is:
Create SA(=Service Account) with enabled domain-wide delegation.
Authenticate SA in GSuite admin console(https://support.google.com/a/answer/162106?hl=en).
use client_id from the credentials file. (now email)
scopes are comma-separated without spaces between.
Ensure the "Security > API Reference > API Reference -> 'Enable API Access'" is checked.
For some GSuite domains this is working configuration, but we got some domains where this configuration results in:
google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.', '{\n "error": "unauthorized_client",\n "error_description": "Client is unauthorized to retrieve access tokens using this method."\n}')
In our understanding, this is the error saying the client_id and scopes were not added to the "Manage API client access" page. (=List of authenticated clients)
We really ensured that the GSuite domain we are requesting has the proper client_id and scopes added in the list of authenticated clients + has the 'Enabled API Access'.
We even created Shared Desktop with them and did it by ourselves to be fully sure of it.
But the error still persists.
However, we are not able to replicate this problem on our test GSuite domain.
We tried couple of options using same SA as the client:
The impersonated account hasn't permissions to access the resource.
This result in:
googleapiclient.errors.HttpError: https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&alt=json returned "Not Authorized to access this resource/api">
The scopes are just partial:
google.auth.exceptions.RefreshError: ('access_denied: Requested client not authorized.', '{\n "error": "access_denied",\n "error_description": "Requested client not authorized."\n}')
The 'Enabled API Access' is not checked.
googleapiclient.errors.HttpError: https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&alt=json returned "Domain cannot use apis.">
The error we are receiving from the client("Client is unauthorized to retrieve access tokens using this method."), we are able to replicate only if the client_id is not in the list of authenticated clients at all.
But we are sure, the problematic GSuite domains have the SA authenticated in "Manage API client access" page.
We are using these scopes: https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/plus.login,https://www.googleapis.com/auth/calendar.readonly,https://www.googleapis.com/auth/contacts.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly
Do you have any ideas how to debug/solve this issue?
Here is what you need to do. Double check each step. If in doubt, start over.
Enable "Admin SDK API. This is enabled on a per project basis.
Create a service account. Do not add or remove any privileges. Don't change the service account in any way. If you do you will get an error that you are not authorized.
Enable Domain-wide Delegation on the service account.
Follow this document to delegate domain-wide authority to your service account:
Delegate domain-wide authority to your service account
When creating the service account credentials (from the downloaded Json) you will need the following scopes for full G Suite management:
"https://www.googleapis.com/auth/admin.directory.group",
"https://www.googleapis.com/auth/admin.directory.user"
Impersonate a user account which creates new credentials. The user account needs to be a G Suite superadmin. This account must have logged into G Suite at least once and accepted the Terms of Service.
Create your client using the credentials from step #5.
Working Python Example:
from googleapiclient.discovery import build
from google.oauth2 import service_account
# This is the service account credentials file
credentials_file = 'google-directory-api.json'
# In this example I only need to send email
credentials = service_account.Credentials.from_service_account_file(
credentials_file,
scopes=['https://www.googleapis.com/auth/gmail.send'])
# This user is a G Suite superadmin
impersonate = 'username#example.com'
credentials = credentials.with_subject(impersonate)
service = build('gmail', 'v1', credentials=credentials)
I think we are going to need to take this in stages. Lets start with your first error and see if that fixes your issue.
Background info
There are several types of clients that you can create in Google developer console. Here are the top three.
Browser client: Used for web applications
Native client (other): used for installed desktop applications
Service account: used for server to server communication.
The clients are different the client.json file you download is different and the code used to authenticated to the authentication server is also different.
Error 1: code / client missmatch
unauthorized_client: Client is unauthorized to retrieve access tokens using this method.
Can mean one of two things. Either you have created a service account client and you are not using service account code to authenticate or you are are using the code to authenticate with a service account but you have not created a service account client. You haven't posted what language you are using or any code so I cant tell you if the code you are using is intended to be used with a service account or not. Your going to have to look into this one a bit.
Check in developer console make sure your client is like this If it is check your code. If it isnt then create a real service account client and try again.
Anyone come across this error when trying to use the Google Vault API using the Service Account OAUTH2 method?
HttpError 400 when requesting https://vault.googleapis.com/v1/matters?alt=json&pageSize=10 returned "The user does not belong to any Dasher customer."
Is Dasher a Google internal name for Postini?
I've gone over the API and service account permissions multiple times.
Turns out I needed to add delegated credentials like so:
delegated_credentials = credentials.with_subject('delegateuser#example.com')
As shown above one of my lambda function HelloCloudGurus which trigger by API gateway and it can be triggered by the API link as below:
https://APIServiceID.execute-api.ap-southeast-1.amazonaws.com/prod/HelloCloudGurus
When I click on the link it shows that I can still access the link despite the Authorization has been set to AWS_IAM?
How to configure it so that it will validate signature on request and return me something like below?
{"message":"Missing Authentication Token"}
Please use Cognito. You can still acheive it by API Gateway Custom Authorizer but Cognito is the right candidate for security. Have a read on below AWS documentation for custom authorizer,
http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
I'm following https://aws.amazon.com/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-apps/ and attempting to set up a script to patch my Google users with SSO AWS roles.
Using the scope listed at https://developers.google.com/admin-sdk/directory/v1/reference/users/patch , I've authenticated properly and have confirmed by doing a simple:
service.users().list(customer='my_customer', maxResults=10, orderBy='email').execute()
This returns successfully with a list of users. However, when I try to execute a patch query with:
service.users().patch(body=body, userKey=user_email).execute()
The response is "Not Authorized to access this resource/api".
Is this endpoint special in some way? It appears the only way to successfully access this resource is by authenticating with a super admin account, which I would prefer not to do.
Please note that it was mentioned in Directory API: Authorize Requests that,
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
With this, I suggest that you use Authorizing requests with OAuth 2.0.
You may also check other possibilities why such error can be encountered from these SO posts:
Google_Service_Directory - (403) Not Authorized to access this resource/api
The root of the problem is that the service account is not an administrator on the domain, so it cannot access the Admin SDK Directory API. Instead, you need to enable domain-wide delegation for your service account, and then have the service account impersonate a domain admin when it makes the request.
Google Directory API returns Not Authorized when call users().list().execute()
Hope that helps!