I am creating folders in GCP Storage bucket for each Firebase Auth User my app has.
GCP allows to give folder level permissions in Storage, but is it possible to also add the access permission to a Firebase Auth user using the GCP IAM logic?
No, it's not possible. IAM doesn't know anything about Firebase Authentication users. When accessing objects directly from app where a user is authenticated with Firebase, you're supposed to use security rules to determine who can read and write those objects.
Related
I have a simple and free Google user account like this: my.name#gmail.com.
Im working with SomeCompany with a billable Google account. This company exposed a bucket to which im supposed to upload someFile.txt. The bucket url looks like this: https://console.cloud.google.com/storage/browser/SomeCompany-multi-44444
or, alternatively gsutil:
gs://SomeCompany-multi-44444
I can access and use this bucket (after auth prompt) from my browser.
Question: Can i access this bucket using API (preferably using Python oauth2client or gcloud) without creating (billable) Service account of my own? How? I fail to understand how to create an API authentication to this bucket without creating a service account which requires credit card. Is there something that SomeCompany have to do in order for me to succeed?
Yes, it's possible and reasonable.
Service accounts and user accounts are all Google identities (as are Groups).
The difference is that service accounts use two-legged auth and have a simpler flow. But, a user account is a valid identity and yours has been authorized to use the bucket.
The difference is that you need to use three-legged auth and exchange your credentials for an access token that you may use to authenticate to the service.
Here's a link to the Python Cloud Client Library section on using 3-legged (User) auth.
I have a mobile app which authenticates users on my server. I'd like to store images of authenticated users in Google Cloud Storage bucket but I'd like to avoid uploading images via my server to google bucket, they should be directly uploaded (or downloaded) from the bucket.
(I also don't want to display another Google login to users to grant access to their bucket)
So my best case scenario would be that when user authenticates to my server, my server also generates short lived access token to specific Google storage bucket with read and write access.
I know that service accounts can generate accessTokens but I couldn't find any documentation if it is a good practice top pass these access tokens from server to client app and if it is possible to limit scope of the access token to specific bucket.
I found authorization documentation quite confusing and asking here what would be best practice approach to achieve access to the cloud storage for my case?
I think you are looking for signed urls.
A signed URL is a URL that provides limited permission and time to
make a request. Signed URLs contain authentication information in
their query string, allowing users without credentials to perform
specific actions on a resource.
Here you can see more about them in GCP. Here you have an explanation of how you can adapt them for your program.
I have deployed an api through Amazon API gatway and I know It is possible to control access of GET/POST methods of resources through IAM user policies. This is mentioned here http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
For every new client I don't want to create new aws user everytime and assign new policies of access control. I want to create new API keys(Controlled by Amazon API gateway) for every new client and want to restrict resources through that. Is there any way to do so?
Please help.
API keys cannot be used for authorization purposes. API keys only provide a boolean choice whether access to this endpoint is allowed or not (it cannot differentiate per user).
To implement authorization you have to use IAM or CustomAuthorizer functions.
AWS documentation on that topic
API keys are not meant as a security mechanism for controlling access
to an API. To enable secure access control, use IAM permissions,
custom authorizers or a Amazon Cognito User Pool.
Try with cognito with authtenticate role.
I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.
I am writing my own reporting software in Java and planning to use RDS for data storage. I want to do the A.A. with AWS IAM. Is there any example(s) of authenticating and authorizing with AWS Identity and Access Management that you might be aware and share with me?
I am not looking on how to set up the user from Amazon's console or how to issue console commands. Instead I would like to see some Java code how to identify if user is authenticated with his/her credentials (user id, password combination) and whether that person authorized to get access to specific report.
AWS IAM is not designed to authenticate users with your own app. AWS IAM is designed to authenticate users with AWS services.
The only way to see if a user is a real user(authentication) and if that user is authorized is to actually make an AWS API call.
For example, you can create a policy that looks like this and attach it to a user/group:
{
"Statement":[{
"Effect":"Allow",
"Action":["rds:CreateDBSecurityGroup",
"rds:DeleteDBSecurityGroup",
"rds:DescribeDBSecurityGroup",
"rds:AuthorizeDBSecurityGroupIngress",
"rds:RevokeDBSecurityGroupIngress"],
"Resource":"*"
}
]
}
And the user or group who has this policy can only make these API calls and not others.
See here: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
Amazon has something called Cognito which is designed to sync application profiles across mobile devices. What applies to your question, though, is that it also allows users to authenticate with Google, Facebook, or Amazon (it uses OAuth).
http://aws.amazon.com/cognito/