Access property of secret without saving it to a variable first? - serverless-framework

I do this to use a secret:
newRelicLicenseSecret: ${ssm:/aws/reference/secretsmanager/NEW_RELIC_LICENSE_KEY~true}
newRelic:
accountId: ${self:custom.newRelicLicenseSecret.NrAccountId}
Is there some syntax that would allow me to access NrAccountId in newRelic.accountId without having to declare newRelicLicenseSecret?

Related

Airflow Password Variable

I have airflow variable named as mysql_password and set its value which is visible as **** after saving. When I try to access it using Variable.get, it still returns the **** value instead of the actual password. I read that if the variable name contains keyword 'password', it will be encrypted. But it does not seem to work this way. Any method of how to reading the value of this encrypted variable?

Automatically choose Auth0 DB Connection according to user's email address

I already read the multi-tenancy guide published, and I believe the solution I require for my app would be to create a separate DB Connection for each organization that I sign up.
My issue is that, since I'm going to be setting the connection parameter to a different name per client, I would have liked Universal Login to automatically determine the DB Connection name according to the user's email address. So, instead of the user manually providing some kind of a hint to which DB Connection I should authenticate them against, I would like to automatically determine that somehow.
Is there any way to do this?
I am assuming that you are using hosted login page. The easiest way to determine the connection based on client would be to pass the connection parameter when redirecting to /authorize endpoint. Thus, Lock will use the connection parameter passed in the URL as the connection to validate the user. For example:
https://[tenant]/authorize?
client_id=K8B5DJdStcZtUzbhaxAOzCrXNbo2kmXG&
response_type=token%20id_token&
redirect_uri=http://application_url&
scope=openid%20profile%20email%20&
connection=connection_name&state=123&nonce=345
Both auth0.js and auth0-spa-js can be used to pass the extra parameter(connection).
Second approach would be to use connectionResolver options if you are using Hosted Login Page+ Lock .
connectionResolver {Function}: When in use, provides an extensibility point to make it possible to choose which connection to use based on the username information. Has username, context, and callback as parameters. The callback expects an object like: {type: 'database', name: 'connection name'}.
var options = {
connectionResolver: function (username, context, cb) {
var domain = username.includes('#') && username.split('#')[1];
if (domain) {
// If the username is test#auth0.com, the connection used will be the `auth0.com` connection.
// Make sure you have a database connection with the name `auth0.com`.
cb({ type: 'database', name: domain });
} else {
// Use the default approach to figure it out the connection
cb(null);
}
}
}
Instead of username, you can take advantage of context object to identify the client (context.clientID) and choose the connection.

How and what should i pass in order to get value for { cognito-identity.amazonaws.com:aud } to IAM role?

What I have done so far is-
I have signed in user with Cognito identity, in return i get a 'session token' which contains 'aud' inside it. But while I pass token through headers, it's not recognizing. Its send back error,
message: 'User: arn:aws:sts::4954355577:assumed-role/multi-test-application-dev-us-east-1-lambdaRole/multi-test-application-dev-list is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:4954355577:table/tenantTable',
Or Is this a wrong way? So if its wrong, What and How should I pass the data in order to get aud inside the IAM role for ${cognito-identity.amazonaws.com:aud}?
We cannot pass the aud as a global variable or an env variable. Once we get the credentials from an identity pool, which is the secret token, access key id, and session token. We need to create dynamodb instance using these credentials. So whenever we use dynamodb, the aud will be set as identity pool id.

JwtBearer Auth with Azure key vault

I wanted to use Azure Key Vault to store key which will be used to create signature for JwtTokens generated by my API.
For Jwt token authentication I use Microsoft.AspNet.Authentication.JwtBearer and i configured it like that:
app.UseJwtBearerAuthentication(options =>
{
options.TokenValidationParameters.IssuerSigningKey = this.tokenAuthKey;
options.TokenValidationParameters.ValidAudience = this.tokenOptions.Audience;
options.TokenValidationParameters.ValidIssuer = this.tokenOptions.Issuer;
options.TokenValidationParameters.ValidateSignature = true;
options.TokenValidationParameters.ValidateLifetime = false;
options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(0);
});
So, as you see, this configuration requires to provide full key with private part (IssureSigningKey property). It works fine when my key is stored unprotected in xml file, somewhere in file system and I'm just loading it during application startup. However, there is a problem when i try to store my key in Azure Key Vault (AKV). Since AKV only allows to withdraw public part of the key, Im struggling to make it all work together.
I found out that TokenValidationParameters class has delegate property that i can use to provide my own validator method which would use AKV encrypt/decrypt methods to determine if signature is valid.
The problem is I can't determine how to specify my own method that would generate signature part of JWT token, so that configuration of Microsoft.AspNet.Authentication.JwtBearer won't need private key.
My question is: is it possible somehow to specify my own method that creates signature for generated JWT token in JwtBearer configuration or during creation of token using JwtSecurityTokenHandler.CreateToken?

What is available for Roundhouse Token Replacement?

We're using Roundhouse to deploy our databases and keep versions for SQL Server (2008+)
I have a script which grants permissions and needs to have a username passed in. I know there is support for token replacement in Roundhouse, but the only token I've seen mentioned is {{database}}.
What built-in tokens are available?
Can users define their own tokens? Is so how?
At this time ONLY the items in the configuration - https://github.com/chucknorris/roundhouse/wiki/ConfigurationOptions
Note the full name of the option when using token replacement:
-d, --db, --database, --databasename=VALUE | REQUIRED: DatabaseName - The database you want to create/migrate.
-c, --cs, --connstring, --connectionstring=VALUE | REQUIRED: ConnectionString - As an alternative to ServerName and Database - You
can provide an entire connection string instead.
It's the bolded name, e.g. "{{DatabaseName}}" or "{{ConnectionString}}" from the examples above.