Hello StackOverflow Community,
I've searched through Amazon EC2's API documentation, but I haven't seen an API to create/modify/remove an Amazon EC2 account programmatically. Does anyone know if this is possible?
Thanks,
Mauricio
If you are talking about creating new Amazon's user for EC2, it is not possible to do programmatically. As in any website registration it requires human interaction. Particularly you will need to provide credit card etc. I also was not able to find a way to create new set of credentials programmatically.
What is the overall problem you're trying to solve? Are you trying to create an AWS account? Or simply create a new set of credentials for accessing EC2?
It is not possible to create accounts programmatically, but depending exactly on what you are trying to achieve, you may want to use AWS IAM which allows you to create credentials with restricted access (so for example an user can list current instances, but not start or destroy them)
Related
I have a chat application with the option to search for users by name/phone etc.
As part of the design there is an avatar presents the user's profile image.
I store the images in encrypted S3 bucket with private access only.
In order to watch an image I'm using the aws sdk to pre-sign the url with expiration of few seconds.
I'm asking myself if this is a right thing to do, or it's an overkill to do that by the face that this is a profile image and probably a lot of users will see that list too many time in the app, and each list contains few users with their avatars so it is crating a lot of pre signed urls in short time.
What would you suggest?
If your application is a SaaS and/or needs SOC2 compliance(or another maybe), you should go for it. Because they don't allow any public S3 buckets used by your application AFAIK.
I'm new to wso2 and there are many new concepts to me ... I'm looking for a yes/no answer to the following question:
With wso2is, is it possible to authenticate users using one secondary user store (AD / LDAP) and authorize them using another secondary user store (JDBC, a database with only user and role tables)?
If the answer to the question is "yes", can you please provide me some links to some related examples or documents?
Any suggestions?
Thanks.
Yes, its possible. we can use different user stores.
Please refer
https://docs.wso2.com/display/IS530/Architecture
https://docs.wso2.com/display/IS530/Configuring+Single+Sign-On
Yes!! it is possible. Write your own custom UserStore and overwrite the method getting claims from user store.
Google it and you will find steps to do that.
I have created an app and some REST API on Google Appengine and deployed it to
www.my-appspot-id.appspot.com
I'm using Google Datastore to store my data and have created API's to access that data.
However, i can access my API directly also using
www.my-appspot-id.appspot.com/_ah/api/explorer
which means anyone can access them and can manipulate the data which i don't want.
How to restrict access so that nobody but some particular registered set of users can only use it?
I stumbled upon this tutorial recently, might be of some help.
I think you need to authenticate your endpoints and authorize only some client id.
OAuth 2 authentication : https://developers.google.com/appengine/docs/python/endpoints/getstarted/backend/auth
Allowed client ids and audience : https://developers.google.com/appengine/docs/python/endpoints/create_api#allowed_client_ids_and_audiences
To answer your question : you can't.
Google Cloud Endpoints is based on the explorer api: everybody will be able to navigate into your API, and see the differents methods available.
BUT if you add an authentication to your methods, the visitor will not be able to execute them.
I'm running a static website completely from an Amazon S3 bucket, but I want to password protect my content. Is this possible? The type of authentication doesn't bother me, it just needs to be there, so that people can't just 'discover' my website.
At the moment, I don't have a domain name set up, which I believe rules out http://www.s3auth.com/ as a possible solution. Are there any others?
AWS doesn't provide a way to do this directly right now. The S3auth solution you mentioned is nice in that your bucket/objects remain private so that a direct access to the bucket does not allow objects to be read without your private credentials. The disadvantage of the s3auth approach is that it relies on you trusting s3auth with your private credentials. If your credentials are compromised at any stage, it could be costly depending on how someone might abuse your access rights.
If you make your objects publicly readable (as you do when you create a website), anyone who learns/guesses/knows your objects names etc can access them. Or indeed if the bucket is readable, then all they need is the bucket name. There is no real way around this except by tightening the S3 access permissions.
If you only access your website from certain IP addresses, perhaps looking at Bucket Policies may help. Scroll down to Restricting Access to Specific IP Addresses. This is not a password but it does allow you to restrict where accesses can come from at least.
Another common technique for providing temporary access to objects is Query String Request Authentication. This does not however match your original requirement of password protecting your S3 bucket website.
This is possible using CloudFront and Lambda#Edge. See the answer here: https://stackoverflow.com/a/45971193/4550880
I think the AWS SDK for Javascript is what you're looking for. To be fair, it wasn't available when you posted this question 2 years ago. It allows you to login with Facebook, Google or Amazon. Here's another resource using AWS login.
Is there a way to create a different identity to (access key / secret key) to access Amazon S3 buckets via the REST API where I can restrict access (read only for example)?
The recommended way is to use IAM to create a new user, then apply a policy to that user.
Yes, you can. The S3 API documentation describes the Authentication and Access Control services available to you. You can set up a bucket so that another Amazon S3 account can read but not modify items in the bucket.
Check out the details at http://docs.amazonwebservices.com/AmazonS3/2006-03-01/dev/index.html?UsingAuthAccess.html (follow the link to "Using Query String Authentication")- this is a subdocument to the one Greg Posted, and describes how to generate access URLs on the fly.
This uses a hashed form of the private key and allows expiration, so you can give brief access to files in a bucket without allowed unfettered access to the rest of the S3 store.
Constructing the REST URL is quite difficult, it took me about 3 hours of coding to get it right, but this is a very powerful access technique.