AWS [SES]: the reason(s) behind getting ProductionAccessNotGrantedException - amazon-ses

To use the SES within AWS to handle my site's subscriptions, I did the following:
Verified my email and domain that I want to send the email from. Also used IAM and gave the proper access to send a customized email
Using AWS Cli created a CustomVerificationEmailTemplate.
Created a configuration set and linked it to a SNS.
Used Java SDK, created a client of type AmazonSimpleEmailService and a sendCustomVerificationEmailRequest variable and used the sendCustomVerificationEmail method to send the invitation email.
However I do get the following exception:
[ProductionAccessNotGrantedException: null (Service: AmazonSimpleEmailService; Status Code: 400; Error Code: ProductionAccessNotGranted; Request ID: *****
Any idea why I do get this exception? Where should I get the production access?

SES service will be under sandbox status by default in all AWS accounts. In sandbox status, we can not do certain things like using CustomVerificationEmailTemplate.
We need to raise a service request to take it out of sandbox status. more documentation process on how to get it out sandbox status is here.

Related

Are there any AWS WorkMail APIs to get the list of inbox messages?

We need to verify a scenario, where we trigger an email from one of our test application, which sends an email to aws workmail which is used..
In order to verify this scenario, we need AWS workmail APIs to login and get the messages list..
I tried looking for API calls through network console when logging into AWS workmail via browser, all the calls that are made are ajax calls, hence wasn't able to find any..
Do we have any APIs as such which can be used to test following scenario
Login to AWS workmail via API by passing username and password
get the Inbox messages list to read the email which we want to verify.

AWS Secret Manager - 403 response on GetSecret

I'm working on an ASP.NET Core project that will be deployed to AWS. Recently the client came back and requested to pull a few values from AWS SecretsManager. I'm using the permissions inherited from the IAM Role associated to the EC2 instance that the service is deployed to.
In production use this service will be hosted by the client themselves on their own AWS account.
When I deploy to my own test AWS account the process works just fine but when the client deploys to their own AWS account they are getting a 403 Forbidden response on the call to get the secret value. They have the secret and permissions policy set up like I do but still the 403 error.
AmazonSecretsManagerClient client = new AmazonSecretsManagerClient();
var secretRequest = new GetSecretValueRequest
{
SecretId = "MySecretName"
};
// FAILS HERE
GetSecretValueResponse secretResponse = await client.GetSecretValueAsync(secretRequest);
It is a HttpRequestException with a message of "Response status code does not indicate success: 403 (Forbidden)."
My question isn't really a coding issue since this does work on my test AWS account. This seems like it must be an environment issue with the client's AWS account.
My experience with AWS is very limited so I have no idea what would be causing this.
Is the customer trying to fetch the exact same secret you are using in your account? This would require using a custom CMK and adding a resource policy granting access as described in the AWS docs.

invalid_request error on AWS Cognito Custom UI Page

when going to the custom AWS Cognito UI Page:
https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>
am getting the following error:
An error was encountered with the requested page.
View error
invalid_request
O-Auth options need to be check as shown in the following picture
from https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/
You need the following in the App client Settings of your user pool:
Enable Cognito User Pool as "Identity Provider".
Allowed "OAuth Scopes" should have openid enabled.
In my case, it appears there was some issue with verifying the phone number. So switched back to email.
This document is good for checking everything.
https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/
Unless the SMS Sending setup is not complete, do not choose the Email or Phone option. Email or phone actually falls back to phone number only. Read the warning messages.
TLDR: If you use an AWS User Pool with Cognito App Client and have an Application Load Balancer that is exposed via a custom DNS entry (e.g. custom-domain.com, which has to be secured via SSL), use this custom domain for the Cognito App Client's callback URL (i.e. https://custom-domain.com/oauth2/idpresponse) instead if the random DNS name created by AWS.
I had the same error and this issue solved it for me. I used a User Pool with a Cognito App Client and as callback URL I first used the DNS name that AWS created for it (<load balancer name>-<random number>.<region>.elb.amazonaws.com, i.e. "callbackUrl": "https://<load balancer name>-<random number>.<region>.elb.amazonaws.com/oauth2/idpresponse). I also created a DNS record for a custom domain to expose the load balancer to the internet and secured it via SSL. As a result, the certificate was not valid for the URL created by AWS, but only my custom domain. The Cognito App Client was thus trying to access the URL with the invalid SSL certificate and returned the error.

API connect published api in developer portal can't work

https://new-console.ng.bluemix.net/docs/services/apiconnect/apic_tutorial.html#apic_tutorial_01
Follow previous link to do create loopback project named ibmsvt and do test locally, we can post and get.
then publish this api as running api app on bluemix and we will get api target url and tls file.
type url and tls in api designer invoke, and publish api product again.
check api connect service and we can find that published api product has been published, configure developer portal, and invite developers
login developer portal and register one app
subscribe app to api product and run post command.
We will see that we only get can't post error information...
Please see attachment info for error info and api file.
From the screen capture provided, it looks like you're displaying the logs for the loopback application deployed on bluemix. It also looks like the POST request from APIConnect hit the Bluemix application as well. However, I'm unable to see the exact message of the error. What error did you get when you execute the POST from APIConnect? I suspect the POST did not include the $(request.path), what did you change the invoke url to be ? Can provide the x-ibm-configuration section in your yaml file? It will be located in your /definitions.
Thanks and best regards,
I am just have the exact problem, and struggled for days on redoing the tutorial several times, but still met with the same problem until found the upper reply, and gave me a hint.
In the tutorial, it says like the following:
Update the following fields with the values you copied previously:
Invoke URL: Insert the API target URL. You must specify the secure protocol HTTPS. For example:
apiconnect-ca3283b0-525c-488d-993b-3ab72fca78d0.youremail-dev.apic.mybluemix.net
TLS Profile: Insert the API invoke tls-profile.
For example:
client:Loopback-client
The origininal URL is $(runtime-url)$(request.path)$(request.search).
And the correct URL after updating is like following:
https://apiconnect-ca3283b0-525c-488d-993b-3ab72fca78d0.youremail-dev.apic.mybluemix.net$(request.path)
no slash before $(request.path), and $(request.search) should be deleted.
I also checked a tutorial video, it also do like this, but the screen for this step is passed away very quickly, you will not pay attention to this detail normally.
https://www.youtube.com/watch?v=Qku71JLv8vA&list=PLFa8jnU0KqE2eW5E449ziaurv8obSbcou&index=3&cm_mc_uid=24774488665514672571374&cm_mc_sid_50200000=1468400063

GoogleCredential OAuth access token invalid_grant error

I'm trying to acquire a 2 legged oauth2 access token for google's storage api through a service account.
The relevant documentation is contained here:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I first tried attempted to acquire the token through their HTTP/REST api. I eventually gave up being unable to get past a 400 response with the following details:
{ "error" : "invalid_grant" }
I then turned to the recommended method: using the java Google api client library (I'm using scala).
val credentialBuilder = new GoogleCredential.Builder()
.setTransport(GoogleNetHttpTransport.newTrustedTransport())
.setJsonFactory(JacksonFactory.getDefaultInstance())
.setServiceAccountId(Configuration.GoogleAPI.ServiceAccount.email)
.setServiceAccountPrivateKeyFromP12File(new File(Configuration.GoogleAPI.ServiceAccount.pkcs12))
.setServiceAccountScopes(Collections.singleton(StorageScopes.DEVSTORAGE_FULL_CONTROL))
def updateToken = {
val credential = credentialBuilder.build()
credential.refreshToken()
// ... do stuff here with token
}
Running the above, I get a TokenResponseException, with a payload identical to the error I was getting directly accessing the REST api. 400 Bad Request, invalid_grant error.
Doing some research (on both stackoverflow and elsewhere), I find that the most common reasons for this error message are:
1) The local clock is not synced with Google's servers. I suspected this even back when I was using the REST api because I've encountered this issue for other services before. I'm fairly sure its not a clock issue however, because I have repeatedly synced my clocks with an external ntp server:
sudo ntpdate -s ntp.ubuntu.com
2) The other common cause for this error is setting the service account client ID incorrectly. Most people set it to their service account client id (ending with "apps.googleusercontent.com") instead of their service account client email. Its pretty clear that this isn't the problem, since I'm correctly pointing to the email (the docs instructed this, so I followed the directions), ending with "#developer.gserviceaccount.com".
I'm stuck. I've checked the user documentation, the javadocs, various forums. The error message isn't very helpful (probably designed that way, since it's a security endpoint).
What other possible causes for this error exist? What can I do to get my service account access token?
If you are using OAuth2.0 to access a google analytics account then there could be one more reason of getting invalid_grant. As per developer docs:
If the application attempts to use an invalidated refresh token, an
invalid_grant error response is returned. The limit for each unique
pair of OAuth 2.0 client and Google Analytics account is 25 refresh
tokens (note that this limit is subject to change). If the application
continues to request refresh tokens for the same Client/Account pair,
once the 26th token is issued, the 1st refresh token that was
previously issued will become invalid. The 27th requested refresh
token would invalidate the 2nd previously issued token and so on.