I am using Hasura for a project. When I give permission for the public (API exposed for everybody), then no API is exposed in the API section of Hasura. In this case I only X-Hasura-Role public in headers.
But all APIs for role public are exposed when I add x-hasura-admin-secret. For the role public, x-hasura-admin-secret should not be needed. I don't understand what's wrong is doing there?
Add HASURA_GRAPHQL_UNAUTHORIZED_ROLE as public in .env environment. If you use Hasura cloud then add it Hasura Env Vars section.
Related
I'm using pymongo (from airflow hook) to connect to a mongo instance which implements FLE (Field Level Encryption) using google kms for the keys. We have a VM which has a service account file and this is how we configured it
hook = MongoHook(self.source_conn_id)
creds = json.load(open(self.gcs_service_account_keypath))
kms_providers = {
"gcp": {
"email": creds['client_email'],
"privateKey": creds['private_key'].replace(
'-----BEGIN PRIVATE KEY-----\n', '').replace(
'\n-----END PRIVATE KEY-----\n', '')
}
}
auto_encryption_opts = AutoEncryptionOpts(
kms_providers, key_vault_namespace=self.mongo_key_vault_namespace, bypass_auto_encryption=True)
hook.extras = {'auto_encryption_opts': auto_encryption_opts }
Now I'm trying to do the same in Cloud Composer but I can't find how to access the private key from the default service account in cloud composer. I could export the service account key, add it to secret manager and access it like that but it doesn't seem very good idea.
Any ideas how I can access it?
There are three types of service account private keys. Google managed, user managed and user supplied (imported).
You cannot directly access the private key from a compute service as the metadata server does not provide access to private keys - only tokens created from private keys.
The standard recommendation is to use the IAM APIs to sign blobs/JWTs.
Your other option is to use user managed where you download the service account JSON key file and provide that file to your application or load as a secret from Secret Manager or a similar service.
You can generate a service account key following these steps. Instead of using secret manager, you can put the private key in the GCS bucket associated to your environment and put it in your data folder: gs://bucket-name/data to make it accessible. For more information of utilization of Cloud storage bucket associated to your Cloud composer environment, you can refer to this documentation.
I created a user with username:aggr1. When I log in to the dev portal with aggr1 credentials, I can access all of the published APIs. How can I force this particular user to only see two or three APIS in Dev Portal?
Thanks
You can maange access to APIs through roles.
When creating an API, on the first page you have a dropbox "Access" (or "Visibility" orsomething like that) with default value All.
You can list roles, which are required to see the Api in the dev portal. And then assign (or not) the roles to the user.
By default APIs are set to public and any user who logs into the devportal can see the APIs. You can set role-based visibility or based on domain. Please refer the documentation - https://apim.docs.wso2.com/en/latest/learn/design-api/advanced-topics/control-api-visibility-and-subscription-availability-in-developer-portal/#control-api-visibility-in-the-developer-portal
We are transitioning to using Terraform to create our architecture on Google Compute, and part of it utilises Firebase for the front-end. So far, I have managed to get this all working fine, but have hit a snag on Firebase Auth. Essentially, I want to allow 'Email/Password' authentication on a Firbase project programmatically.
The above shows where you find the setting in the UI console, but I want to be able to do that via an API/CLI, and also set the 'Authorised Domain'.
Yes, as of November 2022, this is now possible, either using Terraform, or the gcloud CLI and a bit of scripting. Both methods make use of the REST Identity Toolkit API.
If using Terraform: Your config file needs to specify a google_identity_platform_project_default_config resource: the documentation for it is available here. By way of example – assuming you've already declared a google_project resource called my_project, you could add the google_identity_platform_project_default_config resource as follows:
resource "google_identity_platform_project_default_config" "myconfig" {
project = google_project.myproject.project_id
sign_in {
allow_duplicate_emails = false
anonymous {
enabled = false
}
email {
enabled = true
password_required = false
}
}
}
This would enable email+password authentication, disallow anonymous access, and disallow duplicate email addresses.
If using the gcloud CLI: This would be a good deal fiddlier. I haven't tested it out completely, but it is presumably equivalent to what Terraform is doing behind the scenes. You need to obtain a service account access token, then use cURL (or a similar tool/API) to amend the Identity Toolkit configuration using the PATCH method (documentation here), supplying the token in the "Authorization" header.
gcloud lets you get an access token using the command gcloud auth print-access-token, but according to this 2021 blog post1 by #DazWilkin, the token obtained using your regular human credentials can't perform the necessary PATCH operation; you need to use a token backed by a service account that has the correct permissions.
The blog post gives further details, but roughly, the steps are:
Create a service account and give it the correct permissions. (Not necessary if you already have an appropriate service account; such an account can be created either using the Firebase console or Terraform's google_service_account resource.)
Create a JSON service account key file. (Not necessary if you already have a key created, plus a JSON file for it. These JSON files contain an object with the keys "project_id", "private_key_id", and "private_key", and are exactly the same sort of file as gets generated from the Firebase console if you go to "Project Overview" / "Project Settings" / "Service Accounts" / "Generate new private key". They can also be created programmatically using Terraform's google_service_account_key resource.)
Allow gcloud to perform operations using the service account's permissions, by running gcloud's "auth activate-service-account" subcommand: something like
$ gcloud auth activate-service-account --key-file=/path/to/key-file.json EMAIL_ADDRESS_OF_SERVICE_ACCOUNT
Obtain an access token for the service account by running gcloud auth print-access-token EMAIL_ADDRESS_OF_SERVICE_ACCOUNT.
Supply that token in the header of an HTTP PATCH request using cURL.
For more details, see the blog post; it's concerned with amending the "authorized domains" list for a Firebase project, but enabling email/password authentication would be very similar.
1 Also mentioned in this stackoverflow answer.
I'm using Identity server and I wanna create an application like discord or slack. Basically you can be part of multiple organizations, but you have a different role in each of them. So when you click on the role I wanna create an access token with the role claims that correspond to your role on the organization. Basically, I am asking for a way to manually call my profile service, so I can always create the corresponding access_token
I am asking for a way to manually call my profile service, so I can always create the corresponding access_token
You can add your custom ProfileService for IdentityServer, here is steps to follow:
Add your custom ProfileService which implements IdentityServer4.Services.IProfileService. This class is added on IdentityServer project.
public class CustomProfileService : IProfileService
{
}
Checkout ProfileService to get an idea for implementation details. And here is a very good example to follow.
Add it to IOC on Startup class of IdentityServer project
services.AddTransient<IProfileService, CustomProfileService>();
Set it as profile service used on IdentityServer - This code is on Startup class of IdentityServer
services.AddIdentityServer()
.AddProfileService<CustomProfileService>();
Read more here
I'm minting custom tokens using the node admin SDK within a cloud function. As I'm using firebase cloud functions, the default service account is discovered automatically in the managed environment.
Due to this, I'm able to sign custom tokens using the default service account. However I'm not able to verify these tokens, as the admin SDK only allows us to verify ID tokens and not custom tokens.
Is there any way that I can get access to the private key in the default service account via the admin SDK so that I can use a 3rd part library to verify them