Error: Error getting Backup Vault: AccessDeniedException: - terraform-provider-aws

Can Someone please help what is this error for? I was configuring AWS Backup and got this error message. I have tried in many ways (IAM policy etc) but no luck. Any assistance is much appreciated.
Error: Error getting Backup Vault: AccessDeniedException:
status code: 403, request id: 501c0713-0ce9-4879-93f6-1887322a38be

I ran into this issue using terraform. I figured this out by adding the "backup-storage:MountCapsule" permission to the policy of the role I am using to create the resource. Here is a slightly edited policy and role configuration. Hopefully, this helps someone.
data "aws_iam_policy_document" "CloudFormationServicePolicy" {
statement {
sid = "AllResources"
effect = "Allow"
actions = [
"backup:*",
"backup-storage:MountCapsule",
...
]
resources = ["*"]
}
statement {
sid = "IAM"
effect = "Allow"
actions = ["iam:PassRole"]
resources = ["*"]
}
}
resource "aws_iam_policy" "CloudFormationServicePolicy" {
name = "${local.resource_name}-CloudFormationServicePolicy"
description = "policy for the IAM role "
path = "/${local.metadata["project"]}/${local.metadata["application"]}/"
policy = data.aws_iam_policy_document.CloudFormationServicePolicy.json
}
resource "aws_iam_role" "CloudFormationServiceRole" {
name = "${local.resource_name}-CloudFormationServiceRole"
description = "Allow cluster to manage node groups, fargate nodes and cloudwatch logs"
force_detach_policies = true
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : "sts:AssumeRole",
"Principal" : {
"Service" : ["cloudformation.amazonaws.com", "ecs-tasks.amazonaws.com"]
},
"Effect" : "Allow",
"Sid" : "TrustStatement"
},
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::xxxxxxx:role/OrganizationAdministratorRole"
},
"Action" : "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy_attachment" "CloudFormationService_task_role_policy_attachment" {
role = aws_iam_role.CloudFormationServiceRole.name
policy_arn = aws_iam_policy.CloudFormationServicePolicy.arn
}

Related

Accessing the GraphQL query from inside an AWS AppSync resolver

I would like to be able to access the GraphQL query inside of my AWS AppSync resolvers, but have not been able to figure out how to go about achieving this.
I use Terraform to create the resolver, like so:
resource "aws_appsync_resolver" "graphql_event_resolver" {
api_id = aws_appsync_graphql_api.appsync.id
type = "Query"
field = "event"
data_source = aws_appsync_datasource.graphql_datasource.name
request_template = <<EOF
{
"version" : "2017-02-28",
"operation": "Invoke",
"payload": {
"resolve": "event",
"arguments": $util.toJson($context.arguments)
}
}
EOF
response_template = var.response_template
}
Then I have a JavaScript resolver like the one below:
exports.handler = (event, context, callback) => {
console.log('VTL details: ', event);
callback(null, event);
};
I suspect the solution is to pass the query in the request template payload in the Terraform code where I create the resolver, but I have been unable to find any information on how to do this, so any help would be much appreciated.
Figured out, thanks to JWK's answer to this question, how to do it:
resource "aws_appsync_resolver" "graphql_event_resolver" {
api_id = aws_appsync_graphql_api.appsync.id
type = "Query"
field = "event"
data_source = aws_appsync_datasource.graphql_datasource.name
request_template = <<EOF
{
"version" : "2017-02-28",
"operation": "Invoke",
"payload": {
"resolve": "event",
"arguments": $util.toJson($context.arguments),
"query": $utils.toJson($context.info.selectionSetList)
}
}
EOF
response_template = var.response_template
}

Pass variables from terraform to arm template

I am deploying an ARM template with Terraform.
We deploy all our Azure infra with Terraform but for AKS there are some preview features which are not in terraform yet so we want to deploy an AKS cluster with an ARM template.
If I create a Log Analytics workspace with TF, how can I pass the workspace id to ARM.
resource "azurerm_resource_group" "test" {
name = "k8s-test-bram"
location = "westeurope"
}
resource "azurerm_log_analytics_workspace" "test" {
name = "lawtest"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
sku = "PerGB2018"
retention_in_days = 30
}
So here is a snippet of the AKS ARM where I want to enable monitoring and I refer to the workspaceresourceId. But how do I define/declare the parameter to get the id from the workspace that I created with TF
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"enableRBAC": "[parameters('EnableRBAC')]",
"dnsPrefix": "[parameters('DnsPrefix')]",
"addonProfiles": {
"httpApplicationRouting": {
"enabled": false
},
omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceResourceId')]"
}
}
},
you could use the parameters property of the azurerm_template_deployment deployment to pass in parameters:
parameters = {
"workspaceResourceId" = "${azurerm_log_analytics_workspace.test.id}"
}
I think it should look more or less like that, here's the official doc on this.

How can I configure security per node in Corda using Gradle?

I want to add the security property to my node configuration using Gradle. I'm trying to do something like the below:
node {
name "O=Bank_A,L=New York,C=US"
p2pPort 10005
rpcSettings {
address("localhost:10006")
adminAddress("localhost:10046")
}
h2Port 9005
cordapps = [
"$project.group:bank-abc:$project.version",
"$project.group:shared-contracts-states:$project.version",
"$corda_release_group:corda-finance:$corda_release_version"
]
security = {
authService = {
dataSource = {
type = "DB"
passwordEncryption = "SHIRO_1_CRYPT"
connection = {
jdbcUrl = "jdbc:h2:tcp://10.0.75.1:9014/node"
username = "some user"
password = "some pass"
driverClassName = "org.h2.Driver"
}
}
}
}
}
when I execute gradlew deployNodes. I get the below error:
What went wrong:
A problem occurred evaluating root project 'tbs-term-reciprocal-dapp'.
Could not set unknown property 'security' for object of type net.corda.plugins.Node.
In order to add security config, you need to use extraConfig within your node's Gradle script.
Taking your example, the extraConfig will look like this:
extraConfig = [
security : [
authService : [
dataSource : [
type: "DB",
passwordEncryption: "SHIRO_1_CRYPT",
connection : [
jdbcUrl: "jdbc:h2:tcp://10.0.75.1:9014/node",
username: "sa",
password: "",
driverClassName: "org.h2.Driver"
]
]
]
]
]

Meteor Google oAuth to refresh accessToken without re-login

This is my first post. I will try and be complete. I am creating a app in Meteor which uses google oAuth. I am using the following packages:
accounts-ui
accounts-google
service-configuration
google-config-ui
In my login.js I have:
Template.login.events({
'click #googleLoginButton': function() {
Meteor.loginWithGoogle(
{ requestPermissions: ['email', 'profile'],
requestOfflineToken: 'true'
}
);
}
});
I get the following in mongo:
db.users.find({}).pretty();
{
"_id" : "9TjGEjEj4ocFhwHtS",
"createdAt" : ISODate("2017-10-11T17:38:07.400Z"),
"services" : {
"google" : {
"accessToken" : "ya29.-REDACTED-T9z",
"idToken" : "eyJhbGcj-REDACTED-LTg",
"scope" : [
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile"
],
"id" : "107113228066746203535",
"email" : "XXXXXXy#XXXX.com",
"verified_email" : true,
"name" : "XXX XXX",
"given_name" : "XXX",
"family_name" : "XXX",
"picture" : "https://lh4.googleusercontent.com/.../photo.jpg",
"locale" : "en",
"gender" : "male",
"refreshToken" : "1/HG-REDACTED-oLq0USutc"
},
"resume" : {
"loginTokens" : [
{
"when" : ISODate("2017-10-11T21:47:38.471Z"),
"hashedToken" : "2lmOK-REDACTED-ptAyDnWo="
}
]
}
},
"profile" : {
"name" : "XXX XXX"
}
}
In the Server/init.js I have: (I am passing the google project info via settings.json)
configureGoogle = function(config) {
ServiceConfiguration.configurations.remove({
service: "google"
});
ServiceConfiguration.configurations.insert({
service: "google",
clientId: googleConfig.clientId,
secret: googleConfig.secret
});
return;
};
if (googleConfig) {
console.log('Got settings for google', googleConfig)
configureGoogle(googleConfig);
}
So things seem to be working. I can login / out and when I login I get new tokens. I use the accessToken for api calls in other places. The problem I have is that after a hour the token expires and the API calls start to fail.
I would like to refresh the accessToken just before it expires and cant seem to figure out how. I would also like to force a logout after 24 hours so the token does not refresh forever.
Any assistance if appreciated.
Update #1
Thanks to Derek Brown below for pointing me in the right direction. That got me to looking for a meteor google api. I found this one: percolate:google-api
and according to it doc it does what I was looking for:
If the user's access token has expired, it will transparently call the exchangeRefreshToken method to get a new refresh token.
I then ran into a error where the expiresAt Didnt exist in my mongodb and things were not working. I then found this post: Google-API which suggested:
server/publish.js
Meteor.publish(null, function() {
return Meteor.users.find(this.userId, { fields: {
'services.google.accessToken': 1,
'services.google.expiresAt': 1
}});
});
I also made one change from code above:
client/login.js
Template.login.events({
'click #googleLoginButton': function() {
Meteor.loginWithGoogle(
{ requestPermissions: ['email', 'profile'],
requestOfflineToken: 'true',
forceApprovalPrompt: 'true' //<==== This is the change
}
);
}
});
This added with no additional code changed this added the expiresAt and populated it.
Im doing final testing now. I will update.

Meteor Accounts via external services dont set user.username

I'm a complete newbie, and I've been fiddling with the Meteor 1.0 sample todo list app to connect google oauth to it.
When I do so the page no longer renders properly because {{username}} is not set at all.
https://docs.meteor.com/#/full/meteor_users says "username: a unique String identifying the user." but the oauth stuff doesn't create one for you.
Connect service to existing meteor account talks about linking an already existing account to another service, but in this case I just want to use the external service.
https://stackoverflow.com/questions/25182903/meteor-facebook-registration uses onCreateUser() to manually set
user.username = user.services.facebook.name
but this isn't portable across services nor to guarantee uniqueness.
https://github.com/aldeed/meteor-collection2 defines the User schema so that username is mandatory.
When I dump the users table (some fields removed) the google account doesn't have a username, and there is no field that can really take on that value automatically as there could be a clash. Email could be used but I'd rather the username wasn't the email address. Do I just force the user to specify a desired username?
meteor:PRIMARY> db.users.find()
{
"_id" : "YNWt2cATMsKFG7od6",
"createdAt" : ISODate("2014-11-05T11:08:00.406Z"),
"services" : {
"password" : {
},
},
"username" : “a_user”
}
{
"_id" : "CyQsJqcez3kWTRHyQ",
"createdAt" : ISODate("2014-11-05T12:09:40.139Z"),
"profile" : {
"name" : “Alice User”
},
"services" : {
"google" : {
"email" : “a_user#example.com",
"family_name" : “User”,
"gender" : “female",
"given_name" : "Alice”,
"id" : "1115",
"name" : “Alice User,
}
}
}
What is the correct way of handling this?
This is how I did it myself with facebook and google
Accounts.onCreateUser(function (options, user) {
if (options && options.profile) {
user.profile = options.profile;
}
if (user.services) {
var service = _.pairs(user.services)[0];
var serviceName = service[0];
var serviceData = service[1];
console.log("serviceName", serviceName)
if (serviceName == "facebook") {
user.emails = [
{"address": serviceData.email, "verified": true}
];
user.profile = {"first_name": serviceData.first_name, "last_name": serviceData.last_name, "avatar": getFbPicture(serviceData.id)};
}
else if (serviceName == "google") {
user.emails = [
{"address": serviceData.email, "verified": true}
];
user.profile = {"first_name": serviceData.given_name, "last_name": serviceData.family_name, "avatar": getGooglePicture(serviceData.id)};
}
}
console.log("user created :", user)
return user;
});
I do not use username but I use email so that I'm sure that it will be unique. After that
I could allow the user to set his username or display name like Stackoverflow or other services do.
However you could use the email as username and again let the user change it later.
In my application, I am using this to handle the same problem.
username = user.services.facebook.name
user.username=generateUsername(username)
generateUsername = function(username) {
var count;
username = username.toLowerCase().trim().replace(" ", "");
count = Meteor.users.find({"profile.un": username}).count();
if (count === 0) {
return username;
}
else {
return username + (count + 1)
}
This is will create a unique username. After successful signup you can allow the users to change the username and check your db for its existence.
In my application I use
if(user.services.facebook)
this.user = user.services.facebook.name
if(user.services.google)
this.user = user.services.google.name

Resources