Google Appengine Standard Endpoints V2 with Auth0 security - google-cloud-endpoints

I try using google endpoints v2 in Python using Auth0 in standard appengine but if i follow the documentation my endpoints are open for all public.
I have proved using the next options with the next result:
1ª option
In my endpoints class:
#endpoints.api(name='ganadero', version='v1',api_key_required=True,
audiences={'auth0_jwk': ['ganadero-api.endpoints.XXXX.appspot.com','https://YYYYY.es','https://ZZZZZ.eu.auth0.com/api/v2/']},
issuers={'auth0_jwk': endpoints.Issuer('https:// ZZZZZ.eu.auth0.com',
'https:// ZZZZZ.eu.auth0.com/.well-known/jwks.json')}) class GanaderoAPI(remote.Service):
I compiled with the next command:
python lib/endpoints/endpointscfg.py get_openapi_spec main.GanaderoAPI --hostname ganadero-api.endpoints.XXXX.appspot.com
My ganaderoV1openapi.json is the next:
"/ganadero/v1/ganadero/ususarios": {
"get": {
"operationId": "GanaderoAPI_obtenerExplotaciones",
"parameters": [
{
"format": "int64",
"in": "query",
"name": "identificador",
"type": "string"
},
{
"in": "query",
"name": "nombre",
"type": "string"
},
{
"in": "query",
"name": "email",
"type": "string"
},
{
"in": "query",
"name": "metadatoEmail",
"type": "string"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/MainMensajeUsuario"
}
}
},
"security": [
{
"api_key": [],
"auth0_jwk": []
}
],
"x-security": [
{
"auth0_jwk": {
"audiences": [
"ganadero-api.endpoints.XXXXX.appspot.com",
"https://YYYYY.es",
"https://ZZZZZ.eu.auth0.com/api/v2/"
]
}
}
]
}
}
},
"produces": [
"application/json"
],
"schemes": [
"http"
],
"securityDefinitions": {
"api_key": {
"in": "query",
"name": "key",
"type": "apiKey"
},
"auth0_jwk": {
"authorizationUrl": "",
"flow": "implicit",
"type": "oauth2",
"x-google-issuer": "https://ZZZZZ.eu.auth0.com",
"x-google-jwks_uri": "https://ZZZZZ.eu.auth0.com/.well-known/jwks.json"
}
},
"swagger": "2.0"
}
Next, i use the next command:
gcloud service-management deploy ganaderov1openapi.json
Waiting for async operation operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:c1195c3a-9a3f-4c0d-86fa-21f40a8a647e to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:c1195c3a-9a3f-4c0d-86fa-21f40a8a647e
Waiting for async operation operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r2 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r2
Service Configuration [2017-08-27r2] uploaded for service [ganadero-api.endpoints.XXXXX.appspot.com]
To manage your API, go to: https://console.cloud.google.com/endpoints/api/ganadero-api.endpoints.XXXXX.appspot.com/overview?project=ganadero-146707
Next, I use:
gcloud app deploy -v endpoint
Now, my endpoints is deploying. But the problem is that I have use the API-KEY in the URL always. In the documentation said that I can used “x-api-key” in the header, but not function. Also, I must use the access_token of Auth0 in the header the next form:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlFqbEdNVVEzTkRCR09FUkJPRGxCUTBSR1JUZzJPVUl4UkRjeU0wRXpRVFUwTUVReVEwRkVSQSJ9.eyJpc3MiOiJodHRwczovL3NlcmVuby5ldS5hdXRoMC5jb20vIiwic3ViIjoiWDdDR1dPbkpSczg4ZFdRbjV0eUZtdjVodk5BQ1d6TTNAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vZ2FuYWRlcm8uZXMiLCJleHAiOjE1MDM4MzMzMjIsImlhdCI6MTUwMzc0NjkyMiwic2NvcGUiOiIifQ.k0rnc58YfLfAxjQJ7T22jViVAL0-CPqAmOTYSVKUtzDGTvmhrMqLXYYQb35nEsr3uGDfnkUL4O1g3pQkamdKIzz1gstcl_NaizchwtUfl0Wr60_MAP4PH1yyqb5aH7Jn6gBvJPb-aFDCulkHhCq9OjWg9-qLgyO4hd1_F-U4Jq3SMSDrCVyrsZcjJiwhgUmAWmqIuy_fiKCS3CJHF_rnTL3ZIYxfvzPasVzLPPM93vD5mZR8sEhuN1l0AHGprcp4gf0nuLHcMK8ZbYXvcmJyelbIRkGkrLZJFZTUlWKh-4N3nKoZDUVR4JFwTlOXCR8coTTa7JctxZNU9_NqeIeRfg
But is not necessary if I put &key= AIzasd0Z4t-8GasfasdfXDqrcKIki6CIog in the URL. If only add Authorization Bearer “access-token” in the header or add x-api-key “API-KEY” or add two options always appear the next error:
*
401 Method does not allow callers without established identity. Please
use an API key or other form of API consumer identity to call this
API.
*
Only function the next form:
https:// XXXX /_ah/api/ganadero/v1/ganadero/documentos?idExplotacion=5668600916475904&key= AIzaSyD0Z4t-V8as345bzLLz2XDqrcKIki6CIog
2ª option:
In my endpoints class:
#endpoints.api(name='ganadero', version='v1',
audiences={'auth0_jwk': ['ganadero-api.endpoints.XXXX.appspot.com','https://YYYYY.es','https://ZZZZZ.eu.auth0.com/api/v2/']},
issuers={'auth0_jwk': endpoints.Issuer('https:// ZZZZZ.eu.auth0.com',
'https:// ZZZZZ.eu.auth0.com/.well-known/jwks.json')})
class GanaderoAPI(remote.Service):
I compiled with the next command:
python lib/endpoints/endpointscfg.py get_openapi_spec main.GanaderoAPI --hostname ganadero-api.endpoints. XXXX.appspot.com
My gaanderov1openapi.json is the next:
"/ganadero/v1/ganadero/ususarios": {
"get": {
"operationId": "GanaderoAPI_obtenerExplotaciones",
"parameters": [
{
"format": "int64",
"in": "query",
"name": "identificador",
"type": "string"
},
{
"in": "query",
"name": "nombre",
"type": "string"
},
{
"in": "query",
"name": "email",
"type": "string"
},
{
"in": "query",
"name": "metadatoEmail",
"type": "string"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/MainMensajeUsuario"
}
}
},
"security": [
{
"auth0_jwk": []
}
],
"x-security": [
{
"auth0_jwk": {
"audiences": [
"https://YYYYY.es",
"https://ZZZZZ.eu.auth0.com/api/v2/"
]
}
}
]
}
}
},
"produces": [
"application/json"
],
"schemes": [
"http"
],
"securityDefinitions":
"auth0_jwk": {
"authorizationUrl": "",
"flow": "implicit",
"type": "oauth2",
"x-google-issuer": "https://ZZZZZ.eu.auth0.com",
"x-google-jwks_uri": "https://ZZZZZ.eu.auth0.com/.well-known/jwks.json"
}
},
"swagger": "2.0"
}
Next, i use the next command:
gcloud service-management deploy ganaderov1openapi.json
Waiting for async operation operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:b669eef3-97a3-430a-aacc-4a721ebc0db2 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:b669eef3-97a3-430a-aacc-4a721ebc0db2
WARNING: ganaderov1openapi.json: Operation 'delete' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'put' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/animales': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/compraVenta': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/compraventa': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'delete' in path '/ganadero/v1/ganadero/documento': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/documento': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/documentos': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/explotacion': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/usuario': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/ususarios': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
Waiting for async operation operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r1 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r1
Service Configuration [2017-08-27r1] uploaded for service [ganadero-api.endpoints.XXXXX.appspot.com]
To manage your API, go to: https://console.cloud.google.com/endpoints/api/ganadero-api.endpoints.XXXXX.appspot.com/overview?project=ganadero-146707
Next, I use:
gcloud app deploy -v endpoint
Now, my endpoints is deploying and open for everybody. You can access them free. No security in them.
https:// XXXX /_ah/api/ganadero/v1/ganadero/documentos?idExplotacion=5668600916475904
3ª option:
In my endpoints class:
#endpoints.api(name='ganadero', version='v1',
issuers={'auth0_jwk': endpoints.Issuer('https:// ZZZZZ.eu.auth0.com',
'https:// ZZZZZ.eu.auth0.com/.well-known/jwks.json')})
class GanaderoAPI(remote.Service):
I compiled with the next command:
python lib/endpoints/endpointscfg.py get_openapi_spec main.GanaderoAPI --hostname ganadero-api.endpoints. XXXX.appspot.com
My openapi.json is the next:
"/ganadero/v1/ganadero/ususarios": {
"get": {
"operationId": "GanaderoAPI_obtenerExplotaciones",
"parameters": [
{
"format": "int64",
"in": "query",
"name": "identificador",
"type": "string"
},
{
"in": "query",
"name": "nombre",
"type": "string"
},
{
"in": "query",
"name": "email",
"type": "string"
},
{
"in": "query",
"name": "metadatoEmail",
"type": "string"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/MainMensajeUsuario"
}
}
}
}
}
},
"produces": [
"application/json"
],
"schemes": [
"http"
],
"securityDefinitions": {
"auth0_jwk": {
"authorizationUrl": "",
"flow": "implicit",
"type": "oauth2",
"x-google-issuer": "https://ZZZZZ.eu.auth0.com",
"x-google-jwks_uri": "https://ZZZZZ.eu.auth0.com/.well-known/jwks.json"
}
},
"swagger": "2.0"
}
Next, i use the next command:
gcloud service-management deploy ganaderov1openapi.json
Waiting for async operation operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:66091d01-910d-485d-af58-1a68a2dd2321 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/serviceConfigs.ganadero-api.endpoints.XXXXX.appspot.com:66091d01-910d-485d-af58-1a68a2dd2321
WARNING: ganaderov1openapi.json: Operation 'delete' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'put' in path '/ganadero/v1/ganadero/animal': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/animales': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/compraVenta': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/compraventa': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'delete' in path '/ganadero/v1/ganadero/documento': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/documento': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/documentos': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/explotacion': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'post' in path '/ganadero/v1/ganadero/usuario': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
WARNING: ganaderov1openapi.json: Operation 'get' in path '/ganadero/v1/ganadero/ususarios': Operation does not require an API key; callers may invoke the method without specifying an associated API-consuming project. To enable API key all the SecurityRequirement Objects (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object) inside security definition must reference at least one SecurityDefinition of type : 'apiKey'.
Waiting for async operation operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r3 to complete...
Operation finished successfully. The following command can describe the Operation details:
gcloud service-management operations describe operations/rollouts.ganadero-api.endpoints.XXXXX.appspot.com:2017-08-27r3
Service Configuration [2017-08-27r3] uploaded for service [ganadero-api.endpoints.XXXXX.appspot.com]
To manage your API, go to: https://console.cloud.google.com/endpoints/api/ganadero-api.endpoints.XXXXX.appspot.com/overview?project=ganadero-146707
Next, I use:
gcloud app deploy -v endpoint
Now, my endpoints is deploying and open for everybody. You can access them free. No security in them.
https:// XXXX /_ah/api/ganadero/v1/ganadero/documentos?idExplotacion=5668600916475904

Specifying audiences and issuers controls what kind of authorization the framework will consider valid. However, it does not by itself require that a valid authorization exists.
The Endpoints framework docs have three steps for Auth0; the third step is to check the result of endpoints.get_current_user() in every method where you want to enforce authentication.
This is not exactly ideal, but this is the way things are right now.

Related

How to test pact with null data

I am aware of that PACT expects provider data need to be in our control, but I am facing following situation
I have pact contract for multiple consumers, all have some mandatory attribute and some are optional attribute, but business logic suppress all the attribute which are having null value, but according to contract I would still be needing that value as null,
what should I do for it?
Edit 1:
i.e let's say below my contract looks
consumer sent request with below params:
{ "method": "GET", "path" : "/pathOfApi", "headers":{ "accept": "json" } }
Provider responds with below data:
{ "Status": 200,
"body" :[
{"country" : "string",
"countryId" :"string",
"postalcode": "string",
"addressLine1" :"string",
"addressLine2" : "string"
"customerName" : "string",
"customerId" : "string"
}
]
now not all customer has address line 2, now in production if addressLine 2 is null it won't be present in output of api, but for our contract field should be present with null
If your provider does not return a field, but the consumer is expecting null, then either the consumer needs to change their expectation (because it's incorrect) or the provider should update its implementation to return null values.
Just because a consumer asks for something doesn't mean you need to do it!
If in some instances the field is present and other it is not, you need to write two tests to cover each case. I'd suggest covering one case with all of the fields, and another with the minimum set of fields (see https://docs.pact.io/faq/#why-is-there-no-support-for-specifying-optional-attributes).

How to configure dynamodb-to-lambda trigger using amplify framework/cli

The amplify docks here says that we can configure a lambda function as a dynamodb trigger by running **amplify add function** and selecting the "Lambda Trigger" option, but when I run the "amplify add api" (selected Python as runtime language) I am not getting the lambda trigger option, I'm only getting the "Serverless function" and "lambda layer" options.
Please help me to resolve this issue to access the feature.
docs snapshot - showing 4 options
my CLI snapshot - showing only 2 options
I know it works for nodejs runtime lambda, but I want this option for Python Lambda as well.
Just followed these steps with amplify CLI version 4.50.2.
To create a lambda function that is triggered by changes to a DynamoDB table, you can use the following command line actions, which are walked-through inside of the CLI after entering the below command:
amplify add function
Select which capability you want to add:
❯ Lambda function (serverless function)
Provide an AWS Lambda function name:
<YourFunctionsName>
Choose the runtime that you want to use:
> NodeJS # IMPORTANT: Must be NodeJS as of now, you can change this later by manually editing ...-cloudformation-template.json file inside function directory
Choose the function template you want to use
> Lambda Trigger
What event source do you want to associate with the lambda trigger
> Amazon DynamoDB Stream
Choose a DynamoDB event source option
>Use API category graphql #model backend DynamoDB table(s) in the current Amplify project
Choose the graphql #model(s)
<Select any models (using spacebar) you want to trigger the function after editing>
Do you want to trigger advanced settings
Y # IMPORTANT: If you are using a dynamodb event source based on a table defined by graphql schema, you will need to give this function read access to the api resource that contains the graphql schema that defines the table that drives the event
Do you want to access other resources in this project from your Lambda function?
y # See above, select your api that contains the data model and make sure that the function has at least read access.
After this, the other options (layer, call scheduling) are up to you.
After creating the function via the above CLI options, you can change the "Runtime" field inside the -cloudformation-template.json file inside function directory, eg if you want a python lambda function change the runtime to "python3.8". You will also need to create a file called index.py inside your function's directory which has a handler(event, context) function. See example below:
import json
def handler(event, context):
print("Triggered via DynamoDB")
print(event)
return json.dumps({'status_code': 200, "message": "Received from DynamoDB"})
After making these edits, you can run amplify push and, if you open your fxn in the management console online, it should show an attached dynamoDB stream.
Doesn't appear to be available anymore in the CLI codebase - see Supported-service.json deleted and replaced by supported-services.ts
https://github.com/aws-amplify/amplify-cli/commit/607ae21287941805f44ea8a9b78dd12d16d71f85#diff-a0fd8c5607fd81977cb4745b9af3af2c6649ded748991bf9968a7d782b000c6b
https://github.com/aws-amplify/amplify-cli/commits/4e974007d95c894ab4108a2dff8d5996e7e3ce25/packages/amplify-category-function/src/provider-utils/supported-services.ts
Select nodejs and you will be able to view lambda trigger
just add the following to {YOUR_FUNCTION_NAME}-cloudformation-template.json, remember to replace (YOUR_TABLE_NAME) to your table name.
"LambdaTriggerPolicyPurchase": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "amplify-lambda-execution-policy-Purchase",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"
],
"Resource": {
"Fn::ImportValue": {
"Fn::Sub": "${apilanguageGraphQLAPIIdOutput}:GetAtt:(YOUR_TABLE_NAME):StreamArn"
}
}
}
]
}
}
},
"LambdaEventSourceMappingPurchase": {
"Type": "AWS::Lambda::EventSourceMapping",
"DependsOn": [
"LambdaTriggerPolicyPurchase",
"LambdaExecutionRole"
],
"Properties": {
"BatchSize": 100,
"Enabled": true,
"EventSourceArn": {
"Fn::ImportValue": {
"Fn::Sub": "${apilanguageGraphQLAPIIdOutput}:GetAtt:(YOUR_TABLE_NAME):StreamArn"
}
},
"FunctionName": {
"Fn::GetAtt": [
"LambdaFunction",
"Arn"
]
},
"StartingPosition": "LATEST"
}
},
i got them by creating a dummy function using the template that shows up after you choose nodejs and checking compare its -cloudformation-template.json with my own function

Unable to update IAM policy in AI Platform Notebooks

I can't update IAM policy in my AI Platform Notebook.
I created a new AI Platform Notebooks instance:
gcloud beta notebooks instances create nb1 \
--vm-image-project=deeplearning-platform-release \
--vm-image-family=tf-latest-cpu \
--machine-type=n1-standard-4 \
--location=us-west1-b
When I try to apply a new IAM policy I get an Error:
gcloud beta notebooks instances set-iam-policy nb1 --location=us-west1-b notebooks.policy
ERROR: (gcloud.beta.notebooks.instances.set-iam-policy) INTERNAL: An
internal error has occurred (506011f7-b62e-4308-9bde-10b97dd7b99c)
My policy looks like this:
{
"bindings": [
{
"members": [
"user:myuser#gmail.com",
],
"role": "roles/notebooks.admin"
}
],
"etag": "BwWlgdvxWT0=",
"version": 1
}
when I do a
gcloud beta notebooks instances get-iam-policy nb1 --location=us-west1-b --format=json
I get:
ACAB
As there is no policy set.
Please take a look at etag field:
An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.
From documentation here
string (bytes format)
etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy.
Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost.
A base64-encoded string.
You can just easily change your policy etag to ACAB, which is the default one.
{
"bindings": [
{
"members": [
"user:myuser#gmail.com",
],
"role": "roles/notebooks.admin"
}
],
"etag": "ACAB",
"version": 1
}
or you can use add-iam-policy-binding command, to create a new policy, then you can extract the etag using get-iam-policy and update your JSON file with it, finally run the set-iam-policy
You may also use this format:
{
"policy": {
"bindings": [
{
"members": [
"user:myuser#gmail.com"
],
"role": "roles/notebooks.admin"
}
],
"etag": "ACAB",
"version": 1
}
}

GAE endpoints generates wrong discovery doc

I have upgraded to the latest Cloud Endpoints 2.0 as well as the endpoints_proto_datastore to its latest commit. When I now try to generate the API discovery doc I get the following error messages:
Method user.update specifies path parameters but you are not using a ResourceContainer This will fail in future releases; please switch to using ResourceContainer as soon as possible
Method position.update specifies path parameters but you are not using a ResourceContainer This will fail in future releases; please switch to using ResourceContainer as soon as possible
The only two available endpoints are the following two methods which should update the User and the Position model:
#User.method(name='user.update', path='users/{id}', http_method='PUT')
def UserUpdate(self, user):
""" Update an user resource. """
user.put()
return user
#Position.method(name='position.update', path='positions/{id}', http_method='PUT')
def PositionUpdate(self, position):
""" Update a position resource. """
position.put()
return position
Before upgrading to Cloud Endpoints 2.0 everything worked fine. But now if I take a look into the generated discovery file both endpoints have a ProtorpcMessagesCombinedContainer in their request. But the combined container itself is defined with the properties of the Position model!
This is how both methods request attribute are defined:
"request": {
"$ref": "ProtorpcMessagesCombinedContainer",
"parameterName": "resource"
},
And this is the definition of the combined container (which has the properties of the Position model):
"ProtorpcMessagesCombinedContainer": {
"id": "ProtorpcMessagesCombinedContainer",
"type": "object",
"properties": {
"displayName": {
"type": "string"
},
"shortName": {
"type": "string"
}
}
},
Does anyone else had this issue with GAE and Cloud Endpoints 2.0?
What am I doing wrong? Usually the endpoints-proto-datastore should handle the ResourceContainer and the methods path parameters. Also the endpoints-proto-datastore wasn't updated for years ... I really don't know where the error comes from.
Thanks for your help!

Is it insecure to just validate with SimpleSchema, and not use allow/deny rules?

I am using SimpleSchema (the node-simpl-schema package) in an isomorphic way. Validation messages show up on the client as well as from meteor shell.
My question is whether or not this set up is actually secure, and if I need to also write allow/deny rules.
For example:
SimpleSchema.setDefaultMessages
messages:
en:
"missing_user": "cant create a message with no author"
MessagesSchema = new SimpleSchema({
content: {
type: String,
label: "Message",
max: 200,
},
author_id: {
type: String,
autoform:
defaultValue: ->
Meteor.userId()
custom: ->
if !Meteor.users.findOne(_id: #obj.author_id)
"missing_user"
},
room_id: {
type: String,
}
}, {tracker: Tracker})
In meteor shell I test it out and it works as intended.
> Messages.insert({content: "foo", author_id: "asd"})
/home/max/Desktop/project/meteor/two/.meteor/local/build/programs/server/packages/aldeed_collection2-core.js:501
throw error; // 440
^
Error: cant create a message with no author
Should I duplicate this validation logic in my allow/deny rules? Or can I let my allow function always return true, like I'm doing now?
I have some very simple rules that ensures the application is secure:
Do not use allow/deny rules - deny all client-side write requests.
If the client needs to write something in the database, they must do so through Meteor methods.
Ideally, the Meteor methods would call a function (which can be shared code, or server-specific code), and then check for the validity of the database modifier (using the Schema) would be done inside these functions.
Optionally, you can also create client-side methods, which would clean the object and carry out its own validation using the schema before calling the server-side method.

Resources