I'd like to start/stop/restart VMs in GCP through scripts. There are OAuth2.0 and API key methods for this.
For OAuth 2.0, I can generate access token through "gcloud auth print-access-token" I get the key and it works.
I want to the same to work with API keys, but not able to find API key for "Compute Engine", there are service account, but keys.
curl --request POST \
'https://www.googleapis.com/compute/v1/projects/xxxx/zones/xxx/instances/xxx/stop?key=[YOUR_API_KEY]' \
--header 'Accept: application/json' \
--compressed
what I am missing?
thanks.
You cannot use an API key for this purpose. This is because the GCE API needs to know who is sending the request1 but the API key doesn't provide this information.
API keys are used when an API can be accessed by anyone, for example a Google Maps box embedded in a website, but usage needs to be accounted to one particular customer.
1 Identity is needed to enforce IAM permission, collect audit logs and other such tools.
Related
Does anyone know how to configure AWS IAM/Cognito/AppSync to allow access to the AppSync API for unauthenticated users, without using Amplify? I see a lot of examples of how to configure it WITH Amplify and API keys (they expire).
I already have:
a Cognito Identity Pool with roles for authenticated and unauthenticated access
the role for unauthenticated acces modified to allow read access to the AppSync resources (wildcards)
An AppSync API with AIM as the default authentication method
What I miss in documentation and examples is:
how to connect AppSync to this specific Identity Pool
how to make an unauthenticated call using Postman or JavaScript in a browser
How to make an unauthenticated call using Postman?
According to appsync docs:
Unauthenticated APIs require more strict throttling than authenticated
APIs. One way to control throttling for unauthenticated GraphQL
endpoints is through the use of API keys. An API key is a hard-coded
value in your application that is generated by the AWS AppSync service
when you create an unauthenticated GraphQL endpoint.
So having ABC123 as the api key, you can send a query this way:
$ curl -XPOST -H "Content-Type:application/graphql" -H "x-api-key:ABC123" -d '{ "query": "query { movies { id } }" }' https://YOURAPPSYNCENDPOINT/graphql
Edit: Sorry didnt realize it was Identity pool, not user pools. Leaving here anyway. This below is for USER POOLS
How to connect AppSync to this specific Identity Pool?
When you create the default authorization mode in your appsync or when you add Additional authorization providers, you set the requirements for any mode you specify. In the case of AMAZON_COGNITO_USER_POOLS you set the following:
AWS Region
user pool
default action
The way you create the resources may vary from one tech to another, for example, using the aws cli:
$ aws appsync --region us-west-2 create-graphql-api --authentication-type AMAZON_COGNITO_USER_POOLS --name userpoolstest --user-pool-config '{ "userPoolId":"test", "defaultEffect":"ALLOW", "awsRegion":"us-west-2"}'
For more explanation check appsync documentation (link provided), the examples are from there.
https://developers.admitad.com/en/doc/api_en/auth/auth-client/
is the link to documentation.
how to use this curl -H for api integration.
I am using kong as my api-gateway and using a plugin kong-oidc for authentication using keycloak. Authentication process is smooth and running fine. Now I want to add authorization for the requests made to kong for different microservices. I am planning to modify the kong-oidc plugin. I have created a confidential client, role-based policies and resource based permissions along with some users assigned with different roles in keycloak. I want to authorize a user if he has a permission to access a specific resource. I can do that by following request
http://keycloak-url/auth/realms/$realm/protocol/openid-connect/token \
-H "Authorization: Bearer "$access_token \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=auth-client" \
--data "permission=af-resource" \
--data "response_mode=decision"
I am concerned with permission=af-resource. during the request I can not know the name of the resource but the requested url. Do I have to request to keycloak again to give me the resource-id for the requested-url and then send the above mentioned request for decision or there is another way? Or somehow i can use the information from token-introspection endpoint.
Is there a way to retrieve Auth0 logins to a particular client? I have a common set of users across 2 different clients (2 different applications) and would like to get at the login data separately.
You can use the management API to retrieve the logs by client ID, like so:
curl -H "Authorization: Bearer $TOKEN" https://your-tenant.auth0.com/api/v2/logs?q=client_id%3Aexample-client-id
Here are some doc links on getting started with the Auth0 Management v2 API, including how to get a Bearer token:
Management v2. docs
Management v2. tokens
Is it possible to just use cURL to handle the authentication with the Xero API for a private application? I've played with the PHP library and that all works well but I'd like to just use straight cURL commands for the HTTP Requests which it can obviously do, just not sure if I can use cURL to handle the OAuth 1.0a authentication?
If you happen to use Filemaker Pro you can do this easily via the BaseElements plugin from Goya using BE_Xero_SetTokens, and then including the consumer key and your private key as the username and password in subsequent HTTP requests.
Details here.