In order to log into AWS MFA is required. But if I had a program running on an EC2 instance that invoked AWS services via API calls, would such a program also need to authenticate using MFA or would this not be required because we are already "in?"
MFA is only required when logging into the AWS web console with a username/password. When you make API calls you would use an IAM access key, or even better (since your program is running on EC2) an IAM instance profile, which doesn't require MFA.
API calls can be made to require MFA as well using an IAM policy. However, if you were to deploy such policy, you could also exclude VPC-internal subnets from the MFA requirement so that MFA would only be required when accessing the AWS API endpoints from the outside.
Here's a link to my repository which contains an example enforcement policy (see example-mfa-policies/EnforceMFA.txt): https://github.com/vwal/awscli-mfa
Related
Related to Security Cloud Run services for end-users and other services
I'm using:
Firebase Auth to generate id tokens for users with Google, Microsoft, GitHub ... identities
Cloud Endpoints on Cloud Run to invoke (Cloud Run) gRPC services
Firebase Auth users are auth'd by one of my services
Where I'm struggling....
My app provides 1 or more Cloud Run services that the app's users should be able to curl. But authenticating Cloud Run services require per-service id tokens; the id token's audience must use the Cloud Run service URL and the Cloud Run service URL is service-specific.
It seems as though I ought to be able to exchange the Firebase Auth id token for (Google Account) id tokens (with appropriate audiences) that can then be used to invoke the Cloud Run service. The proxy could also run on Cloud Run and it would use my app's auth service to verify whether the id token user should be issued with a Google id token.
Guillaume Blaquire's answer proposes either Coud Endpoints or a proxy similar to what I describe above. However, Cloud Endpoints requires that the backend services be known at deploy time (which these Cloud Run services won't be) and I want to provide the user with the id token so that they can use curl or some other tool to make the auth'd request.
Cloud Run has some compelling documentation for Authenticate (sic.) but I want something between:
Authenticating users -- I have the JWT but I want to receive a Google id token for the Cloud Run service
Authenticating service-to-service which Guillaume's alternative proposal in the answer.
Rather than place your Cloud Run behind Cloud Endpoints, where you have to know the Cloud Run instances ahead of time, you can handle the request and authentication inside the Cloud Run instance itself.
To be able to handle Firebase Authentication tokens inside the Cloud Run instance, they must be setup so that they can be invoked unauthenticated. Then, inside the Cloud Run, it should launch a web server, parse the incoming request (paying attention to the Authorization header - Firebase Auth sample) and then either action or terminate the request.
To achieve this, take a look at this thread for details on how you can handle both HTTP and service-service requests. Alternatively, you could just deploy the Functions Framework image from which that thread's code is based.
If you want cleaner URLs, host multiple endpoints within a single Cloud Run instance and then place that instance behind Cloud Endpoints or you can take a more manual approach via a custom domain using a service like Firebase Hosting.
In our project we are using API Gateway to get authenticated by Cognito User Pool.
Now, we are checking instead of hiting API Gateway can we directly hit Cognito for authenticating users.
So, wanted to check if there is any API of AWS cognito-idp admin-initiate-auth to get the tokens without using the CLI command?
Please refer to the link here. You will also find more information about using this API in one of the language-specific AWS SDKs.
For a complete list of all Amazon Cognito API references, refer here
I have set up a very simple Node application with Express on Google Cloud Run.
It works great, but when I set it up with "Allow unauthenticated invocations to [service] (y/N)?" to No, I get a 403 Forbidden even though I created an API key and I'm making the calls adding key=[My API key] in the query string, as told in the documentation. My URL ends up looking like
https://service-wodkdj77sba-ew.a.run.app?key=[My API key].
I've tried with restricted (for Google Cloud Run) and unrestricted API keys.
Is there anything I'm missing?
Cloud Run, like many product in GCP, doesn't support API Key authorization. As detailed in your provided link, only a subset of service use API KEY.
It's also mentioned :
API keys do not identify the user or the application making the API request, so you can't restrict access to specific users or service accounts.
Where Cloud Run authentication section specify this here
All Cloud Run services are deployed privately by default, which means that they can't be accessed without providing authentication credentials in the request.
By the way, the Cloud Run expectation and the API Key capabilities aren't compatible.
However, if you want to access to your Cloud Run private service with API Key a workaround exist. You can deploy an Extensible Service Proxy (ESP) on another Cloud Run service. In it, authenticate the API Key and, if it's valid, call the Cloud Run private service with the ServiceAccount of your ESP (which must have roles/run.invoke role).
I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.
I am writing my own reporting software in Java and planning to use RDS for data storage. I want to do the A.A. with AWS IAM. Is there any example(s) of authenticating and authorizing with AWS Identity and Access Management that you might be aware and share with me?
I am not looking on how to set up the user from Amazon's console or how to issue console commands. Instead I would like to see some Java code how to identify if user is authenticated with his/her credentials (user id, password combination) and whether that person authorized to get access to specific report.
AWS IAM is not designed to authenticate users with your own app. AWS IAM is designed to authenticate users with AWS services.
The only way to see if a user is a real user(authentication) and if that user is authorized is to actually make an AWS API call.
For example, you can create a policy that looks like this and attach it to a user/group:
{
"Statement":[{
"Effect":"Allow",
"Action":["rds:CreateDBSecurityGroup",
"rds:DeleteDBSecurityGroup",
"rds:DescribeDBSecurityGroup",
"rds:AuthorizeDBSecurityGroupIngress",
"rds:RevokeDBSecurityGroupIngress"],
"Resource":"*"
}
]
}
And the user or group who has this policy can only make these API calls and not others.
See here: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
Amazon has something called Cognito which is designed to sync application profiles across mobile devices. What applies to your question, though, is that it also allows users to authenticate with Google, Facebook, or Amazon (it uses OAuth).
http://aws.amazon.com/cognito/