I am using a API call to retrieve the plaintext instance identity document. Here, accountId is present.
response = response.get("http://169.254.169.254/latest/dynamic/instance-identity/document").text
I am using the above code in my python script. How can i get AWS userId by API call?
Not sure if this is what you are after, but get_caller_identity returns UserId and Accountid:
UserId (string) The unique identifier of the calling entity. The exact value depends on the type of entity that is making the call. The
values returned are those listed in the aws:userid column in the
Principal table found on the Policy Variables reference page in the
IAM User Guide .
Account (string) The AWS account ID number of the account that owns or contains the calling entity.
Arn (string) The AWS ARN associated with the calling entity.
Example output is (from docs):
'Account': '123456789012',
'Arn': 'arn:aws:iam::123456789012:user/Alice',
'UserId': 'AKIAI44QH8DHBEXAMPLE'
Related
I am trying to create an Express API with JWT authentication.
However, I was wondering how to best allow users to only access their own resources.
For example if there is a user with id 1 and each user has a list of books in the database:
The id is already part of the JWT Token but commonly there would be a request to something like /users/1/books to get all of the books belonging to user 1.
Would my routes typically still look like this and I would just check the id in the token is the same the request is made for, or is there any other/simpler way?
Thank you for your help!
You can define, some access rights permissions base on the user role or id.
Example: roles : {root, admin, staff}
Then, in your routes you can have some checking whether this user have the permission to access the functions or you can do in the controller level to check the access rights.
You need to define model relations between User, UserModel. In your case as I understand you need to have the relations between UserModel and BooksModels.
UserModel hasMany BooksModel
When you call findOne() to retrieve specific user's data, you can just define include: 'aliasModelName', to retrieve the users related book data.
With this way, you can only have 1endpoint users/:id to retrieve users data and book data. It depends on what you really want, you can also have an endpoint users/:id/books to get all books that belongs to this user.
Your model definition will then become
BooksModel belongsTo UserModel
If you use hasMany you can get all the results that you need in just one query.
Hope this helps!
When user sends the login credentials, you check database if the email exists, if yes then you check if the password matches. If user successfully signins you create the token.
const token = jwt.sign({ _id: user._id, email: user.email }, "this-is-secret", {
expiresIn: "1h",
});
this token is sent to the browser, whenever user make requests, it manually attachs this token to the req, and sends the request to your server. You check if the token is valid, by using the secret key (in this case "this-is-secret").
const decodedToken = jwt.verify(token, "this-is-secret")
req.userId = decodedToken.userId;
now "userId" is attached to the req object. Now when you fetch the data from database, the items that you are fetching, you write a query that (implementation depends on which database you are using)
book.userId=req.userId
the below URLs I have been using for google sign in my website.
log in URL
https://accounts.google.com/o/oauth2/auth?scope='.urlencode('https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email') . '&redirect_uri=' . urlencode(CLIENT_REDIRECT_URL) . '&response_type=code&client_id=' . CLIENT_ID . '&access_type=online
access token URL
https://accounts.google.com/o/oauth2/token
UserInfo endpoint URL(new URL)
https://www.googleapis.com/oauth2/v2/userinfo (returns null values)
Google+ endpoint URL that I'm currently using
https://www.googleapis.com/plus/v1/people/me (returns email, names, etc)
I want to get user name & email to save in my DB.
how can I get name & email with UserInfo endpoint URL which I have mentioned above?
UPDATED:
I've changed my userinfo endpoint as 'https://www.googleapis.com/plus/v1/people/me' and now it's working well
Based on the sample code you linked to, there are at least a couple of changes you need to make or try.
The first is that you may need to request different scopes, since the scopes determine what will be returned. That code relies on scopes that will be invalid or no longer suggested. The scopes you should be using to get the profile and email are:
openid
profile
email
(The longer scope names you use should also work, but you may want to try these simpler ones as well.)
So the login_url in step 2 might look more like this:
$login_url = 'https://accounts.google.com/o/oauth2/v2/auth?scope=' . urlencode('openid profile email') . '&redirect_uri=' . urlencode(CLIENT_REDIRECT_URL) . '&response_type=code&client_id=' . CLIENT_ID . '&access_type=online';
Although the userinfo v2 endpoint is still semi-maintained, it has been deprecated.
Instead, try one of the following:
The userinfo v3 endpoint at https://www.googleapis.com/oauth2/v3/userinfo
Get the discovery document at https://accounts.google.com/.well-known/openid-configuration and using the url associated with the userinfo_endpoint value.
There are still some things to pay attention to, however:
Not all the data may be available. If the user has not set some profile information, the API can't provide it.
The fields will not be the same as in the Plus endpoint. So while the data may be there, it may be in a different location in the object returned.
access token URL https://www.googleapis.com/oauth2/v2/userinfo (returns null values)
You should provide valid credentials to get a response from these openid endpoint
either by Authorization header or QueryParams; for instance:
https://www.googleapis.com/oauth2/v2/userinfo?access_token=FOO_BAR...
Either access_token, id_token, or token_handle
also applies to v3 (https://www.googleapis.com/oauth2/v3/userinfo)
What I have done so far is-
I have signed in user with Cognito identity, in return i get a 'session token' which contains 'aud' inside it. But while I pass token through headers, it's not recognizing. Its send back error,
message: 'User: arn:aws:sts::4954355577:assumed-role/multi-test-application-dev-us-east-1-lambdaRole/multi-test-application-dev-list is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:4954355577:table/tenantTable',
Or Is this a wrong way? So if its wrong, What and How should I pass the data in order to get aud inside the IAM role for ${cognito-identity.amazonaws.com:aud}?
We cannot pass the aud as a global variable or an env variable. Once we get the credentials from an identity pool, which is the secret token, access key id, and session token. We need to create dynamodb instance using these credentials. So whenever we use dynamodb, the aud will be set as identity pool id.
How to delete a user from a role or disable the user from that particular role in JasperReports Server? But I need the role in the main tenant. It should only be removed from the role (Group)
What I am doing now is a goof up like:
Method: DELETE
URL: http://localhost:8080/reportservice/rest/user/username|TenantID
Payload:
<user>
<tenantId>tenantID</tenantId>
<username>{username}</username>
<emailAddress>{emailAddress}</emailAddress>
<enabled>false</enabled>
<externallyDefined>true</externallyDefined>
<fullName>{fullName}</fullName>
<roles>
<externallyDefined>false</externallyDefined>
<roleName>ROLE_USER</roleName>
</roles>
</user>
From the REST API Reference Manual (6.3.0):
To modify the properties of a user account, put all desired information in a user descriptor, and include it in a
PUT request to the users service, with the existing user ID (username) specified in the URL.
In the community edition of the server, or commercial editions without organizations, use the first form of
the URL.
In commercial editions with organizations, use the second URL to specify the user’s organization. When
specifying the organization, use its unique ID, not its path. When logged in as the system admin
(superuser), use the first URL to modify users of the root organization.
To modify a user, the user ID in the URL must already exist on the server or in the organization. If the user ID
doesn’t exist, a user account will be created, as described in 21.3, “Creating a User,” on page 155.
Method: PUT
URL:
http://:/jasperserver[-pro]/rest_v2/users/userID
http://:/jasperserver[-pro]/rest_v2/organizations/orgID/users/userID
Content-Type:
application/xml
application/json
Content:
A user descriptor that includes the properties you want to change. Do not
specify the following properties:
username – Specified in the URL and cannot be modified in the descriptor.
tenantID – Specified in the URL and cannot be modified in the descriptor.
externallyDefined – Computed automatically by the server.
previousPasswordChangeTime – Computed automatically by the server.
Return Value on Success:
200 OK – The user properties were successfully
updated.
Typical Return Values on Failure:
404 Not Found – When the organization ID cannot be
resolved.
To add a role to the user, specify the entire list of roles with the desired role added. To remove a role from a
user, specify the entire list of roles with the desired role removed. The following example shows the descriptor
in JSON format:
{
"enabled":true,
"password":"newPassword",
"roles":[
{"name":"ROLE_USER"},
{"name":"ROLE_STOREMANAGER", "tenantId":"organization_1"}]
}
Here is the explanation for my error. I have registered two User's A, B in Eucalyptus (open-source). I Created a bucket B1 using Jets3t API in User A's Account and granted Read Permission To user B (Using "CanonicalGrantee" Interface). While Listing Access Control List Using A's Credentials i got FULL_CONTROL for A and READ For B. But When I tried to access Bucket B1 information using B's Credentials I got this error
Exception in thread "main" org.jets3t.service.S3ServiceException: The action listObjects cannot be performed with an invalid bucket: null
at org.jets3t.service.S3Service.listObjects(S3Service.java:1410)
at test.ObjectPermission.main(ObjectPermission.java:40)
problematic code is S3Bucket publicBucket =s3Service.getBucket("B1");
Here B1 is Bucket belongs User A. in the above code s3service returns a null Values . I know that s3service only retrieves the information belongs which are created under B' Credential.
I don't know how to resolve this and to access shared bucket using Jets3t API
The method you are using is search the bucket B1 of account A in the list of bucket of Account B. So always it does not found that bucket in the Account B and return null.
So you have to check it in another way. You can check it by doing head request for Bucket B1 for Account B Service object for that call isBucketAccessible() if it returns true thats means bucket is accessible else not.
I am 100% sure it will work :)