Iam trying to hit the api provided in the airflow ui on aws console. I tried to access the web server but when i try to get the list of dags iam getting unauthorized error. Do we need any role or permission to access rest api and get the expected response out. I tried with webtoken creation and passed in to hit api. Tried with basic auth and aws signatures as well.
Do we need any extra permissions?
In order to access the Airflow API, an IAM entity (e.g. user, role, etc) needs access to one or more of the following managed permissions policies:
AmazonMWAAFullConsoleAccess
AmazonMWAAFullApiAccess
AmazonMWAAReadOnlyAccess
AmazonMWAAWebServerAccess
AmazonMWAAAirflowCliAccess
References:
Accessing an Amazon MWAA environment (AWS)
Creating an Apache Airflow web login token (AWS)
Related
I make use of the cloudstack API, to integrate into a 3de party portal. I would like to access the console proxy via the API, cant find the API methods to do so.
Ie get the session token for the specific virtual machine and open up the ajax window from our 3de party portal.
The management server should expose the Console Proxy to use via the API, then I assume you should acquire a token based on login credentials, or via the API for the specific Virtual Machine you have access to.
If someone done this before, would be appreciated to share some detail related to this request.
Looking at the source for Console Proxy I solved this problem per below :
Use the same authentication procedure the normal cloudstack api use defined her - http://docs.cloudstack.apache.org/en/latest/developersguide/dev.html
Use the same API Key and sign the request with API Secret provided from Cloudstack:
The Console proxy endpoint are as follow - /console?cmd=access&vm=xxx, on success a Url will be returned with a token to access the virtual machine.
Test Results -
Request:
CloudstackRequestClientFilter -> cmd=access&vm=29603248-6d8a-4582-aa9a-4d1bfb4d7714&apikey=3NRrdrhDTwggQ_oQny11dD39-XRWJxCd0dh2xqtMNShrz_jb4ZdhHtmRh7NYiOfRzLNwPcBVAfT9FHh9v96vzg&response=json&signature=u4c7QZNQNcN+2s3fhRNSHTyl7+Q=
Response :
frame src="http://172.16.90.99/ajax?token=TCbfnguNvsHEkga3jPJEfZctqiPHTEynM6sAG2K8iIuioKHU8UU1QAWuQLHATd0dznP9vXPggHJp9km_1bmmStiD1PPKr6nZeid0NVI7kUt8_vOGkOK4vdM2d388KFj8oA280mQ-ZjPHWPgU4gCn47nLVb-2cVxNgOijOjdgDEDj5vlqFkzz2YhcqkLt6CIVdFcAJ1g1gqvhrO530ubjLZsiQvxs_kn9X8eXMafhRm_qugu3k6lLuG38zXsK9jKNWkmqoAV2EBBZh-r6agm4dQ">
Hope this helps, took met sometime to figure this out, source for the console proxy can be found here :
https://github.com/apache/cloudstack/blob/master/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
I have webapp to make changes in ADF (kinda deployment of objects in ADF). I want to authenticate user against ADF. I am able to detect who is accessing web app. I get Azure AD Id like user1#company.com. I want to validate if the same user has access to ADF and if yes, generate bearer token to make changes in ADF (using rest api) or using SDK.
You can use the way below to get the access token when the user login to the web app, no need to validate if the same user has access to ADF, because if he does not have the access, the token will not be able to call the rest api, he will get the 401 unauthorized error.
1.First, make sure you have configured your web app to use Azure AD login, then navigate to the resource explorer -> find your web app -> add ["resource=https://management.azure.com"] to additionalLoginParams like below -> PUT.
2.Navigate to the Azure Active Directory in the portal -> App registrations -> find the AD App corresponding your web app -> API permissions -> add the permission user_impersonation of Azure Service Management like below.
3.Then when the user login the web app, after he consents the permissions, you can get the token with endpoint https://webappname.azurewebsites.net/.auth/me, and use the token to call the data factory rest api.
4.Make sure the user has an RBAC role e.g. Contributor in your subscription/ADF, then the token will be able to call the rest api successfully.
For example, I test with Pipelines - List By Factory api, it works fine.
I want to check if AWS Security Hub integration is enabled for particular aws account ID and particular region using AWS Security Hub SDK?
For checking this, follow the below steps:
Your AWS account needs to have connector permissions (AWS-SD-Connector-Role) to target aws account
Assume role using the target account ARN (Amazon Resource Name) and get the temporary session credentials of a target account.
Now using the temporary session credentials get the security-hub object of a target account and check which all product subscriptions are enabled in it.
I'm building a Java application which needs to access the DynamoDB. The application is intended to be used by several end users (not all of them are trusted). From my understanding, in order to access the AWS service,the AWS credentials need to be loaded at runtime on end users' machine via several ways described at https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
However I don't feel it'll be safe to directly hardcode the access key and token into the application code, as this can be easily exposed. Given my end users don't have too much technology background, I don't want to add too many "pre-setup" steps before they can use the application.What will be best/feasible practise to distribute the credential to them?
Thanks for all opinions.
You probably need to be looking at AWS Cognito
An Amazon Cognito user pool and identity pool used together
See the diagram for a common Amazon Cognito scenario. Here the goal is
to authenticate your user, and then grant your user access to another
AWS service.
In the first step your app user signs in through a user pool and
receives user pool tokens after a successful authentication.
Next, your app exchanges the user pool tokens for AWS credentials
through an identity pool.
Finally, your app user can then use those AWS credentials to access
other AWS services such as Amazon S3 or DynamoDB.
I am using Angularfire to make a website. I am trying to integrate oauth based sign in with google for user authentication but when I try to run index.html file and try to login following error is displayed
11:59:28.189 Error: There are no login transports available for the requested method.
Stack trace:
Mg#file:///G:/Project/root/js/firebase.js:142:1267
dh/<#file:///G:/Project/root/js/firebase.js:163:141
1 app.js:31:4
I searched on stackoverflow for this and got this answer , it says that I need to setup a server for this.
Then I looked at firebase docs and they said
For security reasons, if you're using a web-based OAuth flow
(Facebook, Twitter, Github, or Google), only domains that you
whitelist are allowed to initiate authentication for your app. This
does not apply to Email & Password, Anonymous, or Custom
authentication methods. All Firebase applications have localhost and
127.0.0.1 enabled by default for local development and testing.
The authentication works fine after I host it on firebase but deploying takes a lot of time and also sometimes even I don't have access to internet.
So please suggest me easiest manner so I can run my app on localhost.
An easy way to locally run a Firebase (or any other) web site is to use the Firebase tools and then run
firebase serve
See this blog post introducing the local server.