I have 2 AWS CDK applications running in separate AWS accounts, and I'm trying to add CDK to get a lambda in one AWS account to subscribe to notifications in the other AWS account.
I tried adding the subscription in the lambda account, but this didn't work, since the SNS account doesn't grant permissions.
CDK in the SNS account:
val myTopic = Topic(this, "my-topic-id", TopicProps.builder()
.displayName("topicName")
.topicName("topicName")
.build())
CDK in the Lambda account:
val myLambda = Function(...)
val crossAccountTopic = Topic.fromTopicArn(this, "topic-id", "arn:aws:sns:<region>:<accountId>:topicName")
crossAccountTopic.addSubscription(LambdaSubscription(myLambda))
Has anyone tried something like this? Is there a way to grant access purely with changes to CDK in both accounts? Or is a manual action required? There may be a way to do this by granting access through IAM roles, so I will investigate this further.
Yes, you can grant access in both accounts through CDK. First, you must grant access in the providing account, and deploy the CDK/cloudformation stack. Then you can grant access in the client account.
CDK in the SNS account:
val myTopic = Topic(this, "my-topic-id", TopicProps.builder()
.displayName("topicName")
.topicName("topicName")
.build())
PolicyStatement snsAccessPolicy = PolicyStatement.Builder.create()
.principals(listOf(AccountPrincipal("123456346")))
.actions(Arrays.asList("SNS:Subscribe"))
.resources(Arrays.asList(myTopic.getTopicArn()))
.build();
myTopic.addToResourcePolicy(snsAccessPolicy);
CDK in the Lambda account:
val myLambda = Function(...)
val crossAccountTopic = Topic.fromTopicArn(this, "topic-id", "arn:aws:sns:<region>:<accountId>:topicName")
crossAccountTopic.addSubscription(LambdaSubscription(myLambda))
Note that the AccountPrinciple declared in the PolicyStatement of the SNS account refers to the AWS account ID of the subscribing Lambda account. Intuitively, the SNS account is granting access to the Lambda account, so the SNS account policy needs to grant the Lambda account access.
Related
I have a problem and I can't solve it.
When I import a firebase function, it seems that my SDK Admin service account is not working.
Log Firestore Functions
I tried :
Generate a new key
Different type of import
Here are the permissions for my service account:
Services Account Permissions
Do you see a problem somewhere?
I want to use the Firebase Admin SDK in my GCP cloud function, specifically for creating custom auth tokens.
I was getting auth/insufficient-permission errors after deployment and got to this thread. Note that it talks about Firebase functions, while I use pure GCP Cloud Functions.
To my understanding, GCP Cloud Functions uses the default App Engine service account, which is missing the Firebase Admin SDK admin service agent role.
I manually added it through the GCP console and it seems to solve the issue, but now I want to automate it via terraform where I manage my infrastructure.
How do I access the default App Engine service account? I think it's auto created when the GCP project is created.
How do I add the relevant role to it without changing other service accounts using that roles?
Is this it right approach, or is there a better way I'm missing?
The relevant documentation I was looking at is here. Note that I'm using initializeApp() without arguments, i.e. letting the library to discover the service account implicitly.
How to get the default App Engine service account through Terraform: google_app_engine_default_service_account
How to work with 'additional' IAM roles assigned to a service account:
IAM policy for service account
For general recommendations - I would prefer to use a specifically created service account and completely delete (or disable) the default App Engine service account.
Edit ==> Additional details as requested
Here is a description of Cloud Function service account in runtime:
The App Engine service account has the Editor role, which allows it broad access to many Google Cloud services. While this is the fastest way to develop functions, Google recommends using this default service account for testing and development only. For production, you should grant the service account only the minimum set of permissions required to achieve its goal.
Thus, it may be useful to delete/disable App Engine service account, create a specific service account for the given cloud function, assign it all relevant minimum of IAM roles, and use it.
As a side note I also would suggest to delete/disable the default Compute Engine service account, delete the default network with all firewall rules and subnetworks... But this is a separate story.
Permissions recommended for the Cloud Build service account in the official Google documentation and the Firebase CLI community builder docs are insufficient:
In the permissions table, locate the email ending with #cloudbuild.gserviceaccount.com, and click on the pencil icon.
Add Cloud Build Service Account, Firebase Admin and API Keys Admin roles.
I still get the following error in Cloud Build when I do firebase deploy:
Error: HTTP Error: 403, The caller does not have permission
What I've tried is different Firebase IAM roles, Editor, and Owner. So far only the Owner role works. That is way too much privilege for a Cloud Build service account, and violates the least-privilege model.
Everything is in the same Google Cloud project.
Anyone know how to troubleshoot this? Or know which role/permission is missing?
For our project (which uses Firestore, Functions, Hosting, and Storage extensively) here is the list we came up with. Critically I wanted to avoid "Firebase Admin" because I did not want this service account to have access to read/write my Firestore data:
Artifact Registry Administrator
Cloud Build Service Account
Cloud Datastore Index Admin
Cloud Functions Admin
Cloud RuntimeConfig Admin
Cloud Scheduler Admin
Firebase Hosting Admin
Firebase Rules Admin
Pub/Sub Admin
Service Account User
tl;dr seems like it was "an accidental permission expansion" that has been corrected.
I am able restrict the roles to:
Cloud Build Service Account
Firebase Admin
API Keys Admin
I'm trying to create a schedule Cloud Function exporting my Firestore database to create backups. The code is running fine when serving on my local machine (which uses my personal user account with owner role) but failes once deployed. I already found out that I need to add the 'Storage Admin' and 'Datastore Import Export Admin' to the service account used when running the cloud function, but I can't figure out which service account is used for the functions.
Does anyone know which service account is used?
Firebase Cloud Functions use the {project-id}#appspot.gserviceaccount.com service account (App Engine default service account). Roles and permissions added to this service account carry over to the Cloud Functions runtime.
Good to know: When using Google Cloud Functions, the service account being used while running the function can be defined when deploying the function.
You can specify a custom service account with the runWith() method if you prefer not to use the default one nowadays. It accepts a number of RuntimeOptions that can be defined.
I've to create a json returning api hosted on aws(aws is must can't use Firebase cloud Functions).
User who have logged in on webapp can only access api.
I've found Serverless Api with Aws Api Gateway + DynamoDB which doesn't use Aws Lambda Functions.
Access can be limited using AWS Cognito which isn't free!
FirebaseAuth is free! . So my question is how do I use firebase auth to limit access to above api?
This article Firebase authentication vs AWS Cognito might be of some help.
You need to set up a custom authorizer:
https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/
https://blog.novoda.com/custom-authentication-with-amazon-cognito-and-firebase/