I'm trying to pass a request with AWS API but I get this error
AWS was not able to validate the provided access credentials
My request is:
https://ec2.amazonaws.com/?Action=RunInstances&ImageId=ami-6df1e514&KeyName=key1&InstanceType=t2.micro&Placement.AvailabilityZone=us-west-2&AWSSecretAccessKey=**********************&AWSAccessKeyId=******************
My access credentials are right, there is no doubt about that.
I found that the problem could be caused by clock delay but My PC's clock is correct.
Could someone help me, I did not find a solution.
You never send your secret access key to AWS when making an API call. Instead, you sign your request with the access/secret keys (as described here). You can read more about signing here.
Ideally, use the JavaScript SDK rather than manually generating query requests.
You should also rotate the credentials that you were using because you have exposed the secret key.
Where did you find this way of authentication by passing access-key and secret-key as parameters?
AWS SDK like java-sdk or boto3 provide easy to use APIs to make such calls so I would recommend using them.
Also look at authentication mechanism required by AWS API calls:
http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
Related
I have a NextJS web app and I'm adding firebase authentication to it.
I want to make secure GET calls to my server, and was wondering what is the token I should use with the server and where to set it?
Should I use the firebase user's AccessToken?
And should I send it in the URL query parameter (or header)? Aren't both alternatives exposed to whomever sees the URL and they can impersonate the user?
Thank you in advance for the help.
Are you talking about your API keys? if you are they are supposed to be visible, you need to write Security Rules which are pretty simple to use.
Read more here: Learn about using and managing API keys for Firebase
If you want your own server-side code to use the caller's Firebase Authentication credentials to ensure they are authorized for the operation they are trying to perform, you should:
Pass the users ID token from the client to your server over a secure connection. This is typically done in the Authorization header of the HTTP request.
On the server decode the ID token, and then check your own authorization logic to see if the call is allowed.
The entire process is quite well described in the Firebase documentation on verifying ID tokens, so I recommend checking that out too.
I have a Lambda function which triggered by API Gateway service, however this API is accessed by front-end application, this application not requiring the users to login or sign up to use it.
However I would like to secure my API to allow only from my front-end application.
After my research I found that I can use custom authorization in API Gateway, this custom authorization will check the authorization header of the incoming request and validate it.
the question is, can I use Amazon Cognito for something like this(implicit grant type)?
if not what is the thing that the front-end application will send to me to be validated and how can I keep it always changeable, so no one can guess it?
Thank You.
You could check the headers, but if they're always the same, someone can send an HTTP request with those headers - from any client - and trick your Lambda into thinking it's coming from your UI.
Even if you generate a unique token every time your UI is loaded and include it in the headers, someone could take that token and send requests from another client as well.
You could build fancy JavaScript tricks to make headers more dynamic, but it would only make it harder to use your API from another client, not impossible.
I'm hosting a static website on S3 that uses an API. My auth token for the API is stored in a JS file, but I want to keep that obscured from public users, but NOT from my application.
At the moment, it looks like you need to make S3 buckets (and all of their files) publicly accessible by everyone, but I want to mask my config file. Is this possible, and if so, what is the best way to do it?
Thanks!
Amazon provides a service called Lambda. It is a serverless computing. You use can can be solved using this.
You can write an auth function in Lambda where you can place the api auth token.
You are not really going to be able to completely hide your token, no matter what you do by masking it etc, ultimately your browser is issuing an API call and passing along the credentials which anyone that cares to look for it can see it.
What you want to do is use something like aws cognito to generate temporary, restricted tokens for each user, even anonymous users.
Cognito Identity supports the creation and token vending process for
unauthenticated users as well as authenticated users. This removes the
friction of an additional login screen in your app, but still enables
you to use temporary, limited privilege credentials to access AWS
resources.
https://aws.amazon.com/cognito/faqs/
If you do this, someone can still see the token being used, but it is time and permission limited - not the keys to the kingdom, so they can't do much with it.
I want to enable users in my macos app to be able to securely login to my Parse Server using third-party Oauth2 login. I have been searching for the best approach to do this, but still have some problems. If I understand correctly, logging in requires:
Enable oauth in my Parse server config file (for twitter, google etc).
Get the access token to the provider (e.g. twitter) using a client side OAuth login. I am currently using OAuthSwift.
Login to Parse using the provided access token (from 2) as suggested in the swift example provided here, i.e.
[[PFUser logInWithAuthTypeInBackground:provider authData:authData] continueWithBlock:^id(BFTask<id> *task) {
return task;
}];
This login approach requires the use of the client key and client secret for each provider. How can I safely store these keys-secrets on my Parse server and access them programmatically? Should I use PFConfig and access them during runtime? Is that safe? Or is there something I am doing very wrong here? If anyone has a better approach or an example as to how I should enable OAuth login I would appreciate it (since I am on macos I can not use TwitterUtils and FacebookUtils).
No secret key should ever be used on your client. The client key can be considered "public", and is actually optional (though recommended).
Your secret key should only be stored on your server, preferably as a config/env variable (Note: NOT PFCONFIG). Any use of it should be on your server, and you can create a cloud code function that will use the key as needed and return necessary values to your client. The client should call this, receive a key you need, and then use it appropriately.
Although I'm also not familiar with a client secret key in general? This is the first I've seen of it. I wonder if you've misunderstood any documentation?
I was wondering if there is a easy way to implement a authentication with custom fields. For ex: My app generate a code that is sent by SMS and I want to authenticate the user with this code. So I can’t use strategy local or anything.
I was thinking about create another service that when the code is received it check the database and generate a JWT token and return to the client app. But how to set that token to the app so it will use in the nexts rest and socket calls?
Any clues?
If you know the user prior to the generation of code then you can do it via local strategy by saving the generatrd code to that user and use it for authentication. You can also make use of the authentication service hooks. Or in the verifier.
See it here. https://docs.feathersjs.com/api/authentication/local.html#local-authentication
In addition to the local auth feathersjs provides, there is an additional library supporting all kinds of confirmation procedures, password reset, etc. It is only referenced in the API part of the docs somehow. Here it is.