have a question on repository policy in AWS Codeartifact. We have created the Domain and the repositories within artifact. Now we need to restrict the repositories so that a user can ONLY pull from codeartifact repo from their local machine and NOT be able to publish to this repo. We have setup the following policy on the repo
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<domainowner>:user/<**username>"
},
"Action": [
"codeartifact:DescribePackageVersion",
"codeartifact:DescribeRepository",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ListPackageVersionAssets",
"codeartifact:ListPackageVersionDependencies",
"codeartifact:ListPackageVersions",
"codeartifact:ListPackages",
"codeartifact:ReadFromRepository"
],
"Resource": "*"
}
]
}
But unfortunately, the user can publish by doing a npm login and npm publish to this codeartifact repo. This user has AdministratorAccess and AWSCodeArtifactReadOnlyAccess group.
Not exactly sure what we are doing wrong here. Any ideas/suggestions would be of immense help. Thank you all in advance.
To address this, We created a custom policy with an explicit Deny for codeartifact:PublishPackageVersion on the User who had Administrator Access, removed the AWSCodeArtifactReadOnlyAccess for the admin user and everything seemed to work perfectly. Ideally, may not be the correct solution. Might have been better to create separate user(s) with some of these policies. But, for now this seems to work for us.
Related
I am trying to deploy Firebase functions project, on two different target projects on Firebase. One is in region "us-cenral" and the other one is "europe-west".
I'm using only functions and RTDB from Firebase, I don't have a need for "hosting".
At the start, I was having only one Firebase project region:"us-central" and I was able to deploy functions without problem. I have created another project recently in region:"europe-west" on the same billing account. And also in the local project I have added that another project using command:
firebase use --add project2
Since I didn't deploy functions for a couple of months and there was no need to check if deployment is still working on "project1" I have not checked if this functionally is working.
After adding "project2" I have issued command to deploy for the first time on another region.
When using command: "firebase deploy --only functions"
command ended with the following error:
There was an issue deploying your functions. Verify that your project has a Google App Engine instance setup at https://console.cloud.google.com/appengine and try again. If this issue persists, please contact support.
! functions: Upload Error: HTTP Error: 403, Permission denied on 'locations/null' (or it may not exist).
Error: HTTP Error: 403, Permission denied on 'locations/null' (or it may not exist).
[2022-05-11T19:32:17.580Z] Error Context: {
"body": {
"error": {
"code": 403,
"message": "Permission denied on 'locations/null' (or it may not exist).",
"status": "PERMISSION_DENIED"
}
},
"response": {
"statusCode": 403
}
}
Switching back to project1 and trying to deploy the same thing, I got the same error.
So now I'm stuck. Does anyone have experience with this problem and how to overcome it.
Google support suggest to create "App Engine application", I cannot see how this can help as I didn't had that thing in the 1st place and everything was working. Now with the second project I have this error that suggest permissions problem. Since I have OWNER account on both of these projects what could be wrong?
What I have done so far:
installed the latest firebase tools (same problem)
defined default region on both projects (as stated above)
checked that I'm logged with the OWNER account (also switched between different owner account but the same issue)
checked permissions and din't find anything useful
default service accounts exist on both projects with rights
visited suggested link: https://console.cloud.google.com/appengine
on both projects (and still have the same error although not sure if I need to deploy?!? - I don't have anything there to deploy or do I?)
Config package.json:
{
"name": "functions",
"description": "Cloud Functions for Firebase",
"engines": {
"node": "10"
},
"dependencies": {
"canvas": "^2.6.1",
"firebase-admin": "^10.2.0",
"firebase-functions": "^3.21.0",
"jsbarcode": "^3.11.0",
"qrcode": "^1.4.4"
},
"devDependencies": {
"eslint": "^5.16.0",
"eslint-plugin-promise": "^4.0.1",
"firebase-functions-test": "^0.2.0"
},
"private": true
}
Configuration didn't changed from the 1st deploy to project1 when everything was working fine.
At the end I found out the reason for my problem, and posting just to help the others if they end up with the same error.
The problem was not deployment script "per se" but the function that was connected to fetch data from RTDB on the project. Method "region" was supposed to get configured "region(fnRegion)" value, but that variable value was "null" and resulted with the error posted above during deployment.
function selectDatabaseReference(path = '/') {
return functions
.region(fnRegion) // Sets function region
.database
.ref(path); // Sets database reference path
}
It would be nice if I could get more descriptive error to the real cause of the error (I'm not truly sure, what would be the content of that error message though).
Anyway it's good I was not able to deploy functions because of this.
I have tried to work on this tutorial which is about creating Cloud Run environment and serving a page on Firebase Hosting.
https://firebase.google.com/docs/hosting/cloud-run#python
The Cloud Run part works as it says on the page, but Firebase Hosting part is not working for me. It get 404 error when I access the PROJECT_ID.web.app/ and PROJECT_ID.firebaseapp.com/
I updated the Firebase CLI version to make it the latest version.
"hosting": {
"public": "public", // I need to add this since I got an error without specify public dir
"rewrites": [ {
"source": "**",
"run": {
"serviceId": "helloworld", // "service name" (from when you deployed the container image)
"region": "us-central1" // optional (if omitted, default is us-central1)
}
} ]
}
Does anyone have the same issue as well?
Thanks!
I am wondering if you have missed a step in the set up stage. There is a helpful guide that includes the steps for implementation you might want to have a look at.
You can also test your container locally with Docker to rule out any obvious issues first. If you need to install Docker you can follow this guide.
To run your container locally you can do:
PORT=8080 && \
docker run -p 9090:${PORT} -e PORT=${PORT} gcr.io/myproject/my-image:latest
Replace myproject/my-image:latest to the project where the container image is stored on Google Cloud Platform
The PORT environment variable specifies the port your application will use to listen for HTTP or HTTPS requests. This is a requirement from the Container Runtime Contract. In this example, we use port 8080.
http://localhost:9090
Basically what the title states. I'll be replacing the service name with 'xyzservice' and the region name with 'xyzregion' but everything else is exactly as is.
I have a firebase hosting app where I want to access a service running on Google Cloud Run. As per documentation, I'm using a rewrite rule:
{
"hosting": {
"public": "public",
"ignore": [
"firebase.json",
"**/node_modules/**"
],
"rewrites": [
{
"source": "/api/**",
"run": {
"serviceId": xyzservice,
"region": xyzregion
}
},
{
"source": "**",
"function": "app"
}
]
}
}
I can confirm that I see xyzservice is part of my project when I run gcloud beta run services list
Despite this I keep getting this error:
HTTP Error: 400, Cloud Run service xyzservice does not exist in region xyzregion in this project.
I can't seem to find any information about this error online. Anyone know how I might resolve this?
Thanks in advance!
Same here. Are you using a region other than us-central1? In my case, changing the region from asia-northeast1 to us-central1 works. I'm not sure if it's a spec change or a failure.
Firebase Hosting deployments with rewrites to Cloud Run services located in europe-west1 were broken between 24. - 26. August 2020. I reached out to Google Firebase support. They acknowledged the bug and told me on the morning of 26. August that the issue is now resolved. The configuration above should now perfectly work (as long as the service actually exists).
(It was Firebase Support Case 00080862)
I have come onto a project that has had an ARM deployment via templates running for a number of months now, and until recently everything was working without issue:
Successful deployments
But then, something changed and most (but not all) deployments began failing:
Unsuccessful deployments
The error reported is:
{
"code": "Conflict",
"message": "Conflicting changes were detected when processing the request. This can happen when there are multiple requests trying to update one profile at the same time. Please retry your request."
}
Yet this is the only deploy running at the time. For now I've managed to stave off the issue by adding a dependsOn to the traffic manager resource:
{
"apiVersion": "2015-11-01",
"type": "Microsoft.Network/trafficManagerProfiles",
"name": "[variables('traffic-manager-name')]",
"location": "global",
"properties": {
"profileStatus": "Enabled",
"trafficRoutingMethod": "Priority",
"dnsConfig": {
"relativeName": "[variables('traffic-manager-name')]",
"ttl": 30
},
"monitorConfig": {
"protocol": "HTTP",
"port": 80,
"path": "/"
},
"endpoints": [
{
"name": "[variables('traffic-manager-endpoint')]",
"type": "Microsoft.Network/trafficManagerProfiles/azureEndpoints",
"properties": {
"endpointStatus": "Enabled",
"targetResourceId": "[resourceId('Microsoft.Web/sites', variables('web-app-name'))]",
"target": "[concat(variables('web-app-name'), '.azurewebsites.net')]",
"weight": 1,
"priority": 1,
"endpointLocation": "[resourceGroup().location]"
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', variables('web-app-name'))]"
]
}
But I am concerned that doing so may simply be obfuscating a genuine issue that still needs addressing. If anyone knows any more about that error, or why it might have just started happening out of nowhere, I'd love to know!
When using ARM template to deploy traffic manager, it returns with 409 conflict error "Conflicting changes were detected when processing the request. This can happen when there are multiple requests trying to update one profile at the same time. Please retry your request." because the ARM template deployments are aimed at creating new resources hence it use PUT requests. If the traffic manager profile already exists, it will return when the template makes a change that would alter or affect existing profiles. Before deployment, there was a traffic manager created, thus the template failed with conflict error. To resolve or overcome the issue make sure that no TM profile created before the ARM deployment. Then retest the deployment.
Hope this helps! Cheers!
I have used firebase hosting to host my app in the root however I would like to serve a separate codebase for my forum under https://myapp.com/forum/
I created two targets: app for my root app in one repository and forum for my other repository. I also created two sites in Firebase.
My question is: is it even possible to have two separate repos and use firebase deploy to have one project under root and other under /forum/
firebase.json (app):
"rewrites": [
{
"source": "!/forum/**",
"destination": "/appIndex.html"
}
]
firebase.json (forum):
"rewrites": [
{
"source": "/forum/**",
"destination": "/forumIndex.html"
}
]
I would like Firebase to show app in the root and forum when I point to mydomain.com/forum/
You can maintain your code in two different repos but once you want to deploy to firebase you'll have to build both and deploy both from the same directory.