I need to be able to see the logs for my calls on AWS API Gateway. When I perform the calls from within Gateway's Dashboard I can see them under the Logs section.
How can I see them for external call (e.g.: calls made using curl)?
I tried enabling CloudWatch but I can only see the metric, and not the actual log messages.
The most likely reason for not being able to see API Gateway logs in CloudWatch logs is that you haven't specified the ARN of an IAM role that enables API Gateway to write information to CloudWatch Logs.
You then need to explicitly enable logging on each Stage. You don't need to (re)Deploy the API, just Save.
Detailed instructions here:
https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-using-console
Once enabled you will get a log group named "/aws/apigateway/welcome" with a log line confirming logs are enabled.
Related
I have a pipeline deployed through gcp cloud based Kubeflow. Now I want to manage the pipeline from outside the google account i.e from different google account or from a local host. I want to manage the pipeline through Rest API calls. But I am getting error while trying. Do I need the details of google service account? if so, how to pass that information? Kindly help me solve these issue.
Once again I am stating the problem statement, need to access the pipeline through Rest API calls, which is in cloud based Kubeflow.
Related to Security Cloud Run services for end-users and other services
I'm using:
Firebase Auth to generate id tokens for users with Google, Microsoft, GitHub ... identities
Cloud Endpoints on Cloud Run to invoke (Cloud Run) gRPC services
Firebase Auth users are auth'd by one of my services
Where I'm struggling....
My app provides 1 or more Cloud Run services that the app's users should be able to curl. But authenticating Cloud Run services require per-service id tokens; the id token's audience must use the Cloud Run service URL and the Cloud Run service URL is service-specific.
It seems as though I ought to be able to exchange the Firebase Auth id token for (Google Account) id tokens (with appropriate audiences) that can then be used to invoke the Cloud Run service. The proxy could also run on Cloud Run and it would use my app's auth service to verify whether the id token user should be issued with a Google id token.
Guillaume Blaquire's answer proposes either Coud Endpoints or a proxy similar to what I describe above. However, Cloud Endpoints requires that the backend services be known at deploy time (which these Cloud Run services won't be) and I want to provide the user with the id token so that they can use curl or some other tool to make the auth'd request.
Cloud Run has some compelling documentation for Authenticate (sic.) but I want something between:
Authenticating users -- I have the JWT but I want to receive a Google id token for the Cloud Run service
Authenticating service-to-service which Guillaume's alternative proposal in the answer.
Rather than place your Cloud Run behind Cloud Endpoints, where you have to know the Cloud Run instances ahead of time, you can handle the request and authentication inside the Cloud Run instance itself.
To be able to handle Firebase Authentication tokens inside the Cloud Run instance, they must be setup so that they can be invoked unauthenticated. Then, inside the Cloud Run, it should launch a web server, parse the incoming request (paying attention to the Authorization header - Firebase Auth sample) and then either action or terminate the request.
To achieve this, take a look at this thread for details on how you can handle both HTTP and service-service requests. Alternatively, you could just deploy the Functions Framework image from which that thread's code is based.
If you want cleaner URLs, host multiple endpoints within a single Cloud Run instance and then place that instance behind Cloud Endpoints or you can take a more manual approach via a custom domain using a service like Firebase Hosting.
I am running an react app. I want to log error to my aws cloudwatch without hard coding the access key and secret key on my client side code. I am using 'Error Boundary Component' for catching error.
Thank you for your help.
I assume by "react app" you mean a React-based web application, often called an SPA for Single Page Application.
In that case you are correct, you do not want to hard-code and credentials as that would expose them to any user who has access to the page.
The most common architecture for doing this is to setup the following:
A Lambda that will take your logging event and log it for you in Cloudwatch.
An API-Gateway that your application can call that will trigger the Lambda.
An Authorizer on the API-Gateway resource that will validate a JWT that is passed from the application.
AWS Cognito that will supply your application with a JWT based on some login, either directly or via some integration with another service that is applicable for your case.
I have set up a very simple Node application with Express on Google Cloud Run.
It works great, but when I set it up with "Allow unauthenticated invocations to [service] (y/N)?" to No, I get a 403 Forbidden even though I created an API key and I'm making the calls adding key=[My API key] in the query string, as told in the documentation. My URL ends up looking like
https://service-wodkdj77sba-ew.a.run.app?key=[My API key].
I've tried with restricted (for Google Cloud Run) and unrestricted API keys.
Is there anything I'm missing?
Cloud Run, like many product in GCP, doesn't support API Key authorization. As detailed in your provided link, only a subset of service use API KEY.
It's also mentioned :
API keys do not identify the user or the application making the API request, so you can't restrict access to specific users or service accounts.
Where Cloud Run authentication section specify this here
All Cloud Run services are deployed privately by default, which means that they can't be accessed without providing authentication credentials in the request.
By the way, the Cloud Run expectation and the API Key capabilities aren't compatible.
However, if you want to access to your Cloud Run private service with API Key a workaround exist. You can deploy an Extensible Service Proxy (ESP) on another Cloud Run service. In it, authenticate the API Key and, if it's valid, call the Cloud Run private service with the ServiceAccount of your ESP (which must have roles/run.invoke role).
In order to log into AWS MFA is required. But if I had a program running on an EC2 instance that invoked AWS services via API calls, would such a program also need to authenticate using MFA or would this not be required because we are already "in?"
MFA is only required when logging into the AWS web console with a username/password. When you make API calls you would use an IAM access key, or even better (since your program is running on EC2) an IAM instance profile, which doesn't require MFA.
API calls can be made to require MFA as well using an IAM policy. However, if you were to deploy such policy, you could also exclude VPC-internal subnets from the MFA requirement so that MFA would only be required when accessing the AWS API endpoints from the outside.
Here's a link to my repository which contains an example enforcement policy (see example-mfa-policies/EnforceMFA.txt): https://github.com/vwal/awscli-mfa