Using the AWS SDK I can make a get request and fetch a document, I will then know if I have the IAM access to access the database.
Is there a way to test with the NodeJS AWS SDK to see if I have allow access for the action dynamodb:getItem. Of course I can just write a query but is there a way without me having to spend time writing a meaningless query?
The easiest way I can think of right this moment is to try a simple getItem like you mentioned with a primary key, but do it with the low level API. Then you are not writing a "meaningless query." If I find another way, I'll add it here.
You can simply check through the user's role through console and CLI as well with the get-user-policy command.
CLI Approach:
aws iam get-user-policy --user-name Bob --policy-name ExamplePolicy
With the help of this command, you check the rights you have on that user. For detail look into this DOC.
Console Approach:
Login with AWS Console and Search IAM service
Under the User Section, Search your user whose permission need's to check.
Then in the permission section, you can watch all the permission.
Related
I'm creating a Google Workspace Add-On and need to make some requests using OAuth. They provide a guide here explaining how to do so. In the sample code, it's suggested that the OAuth client secret be inline:
function getOAuthService() {
return OAuth2.createService('SERVICE_NAME')
.setAuthorizationBaseUrl('SERVICE_AUTH_URL')
.setTokenUrl('SERVICE_AUTH_TOKEN_URL')
.setClientId('CLIENT_ID')
.setClientSecret('CLIENT_SECRET')
.setScope('SERVICE_SCOPE_REQUESTS')
.setCallbackFunction('authCallback')
.setCache(CacheService.getUserCache())
.setPropertyStore(PropertiesService.getUserProperties());
}
Is this safe for me to do?
I don't know how Google App Script is architected so I don't have details on where and how the code is being run.
Most likely it is safe since the script is only accessible to the script owner and Workspace Admins if it is for Google workspace (which may or may not be an issue).
Well, you can add some security/safety by making use of a container, by using Container-bound script which makes use of Google Spreadsheet, Google Doc or any other that allows user interaction. Or a standalone script but also makes use of other way to connect to UI for interaction. Refer to this link for more detailed explanation on that: What is the appropriate way to manage API secrets within a Google Apps script?
Otherwise, the only way I see that you can do is store the keys and secrets in User Properties. Here's how you can do it: Storing API Keys and secrets in Google AppScript user property
Also you can refer to this link below for more general information on how you can manage or add some security: https://softwareengineering.stackexchange.com/questions/205606/strategy-for-keeping-secret-info-such-as-api-keys-out-of-source-control
I need to schedule two cloud functions to run at a predefined time using Cloud Scheduler. However, when I click on the Cloud Scheduler tab it shows the below error message.
You don't have permission to enable Cloud Scheduler (appengine.applications.create, serviceusage.services.enable)
So I asked the project owner to grant me access to the below roles:
Cloud Scheduler admin
AppEngine Admin
Service Usage Admin
However, even after this I'm still getting the same message as before.
Below are the current roles that I have access to:
App Engine Admin
BigQuery Data Viewer
BigQuery User
Cloud Scheduler Admin
Cloud SQL Admin
Editor
Service Usage Admin
Storage Admin
Kindly let me know if I'm missing something here.
You don't need to be the project Owner.
You need these permission:
appengine.applications.create
serviceusage.services.enable
Predefined roles for first permission:
roles/owner
roles/appengine.appCreator
Predefined roles for second permission:
roles/owner
roles/editor
roles/serviceusage.serviceUsageAdmin
Since you already are an Editor, you only need to request App Engine Creator role for the first permission.
For you to be able to perform the configuration of Cloud Scheduler, you need to be the Project Owner.
Could you please give it a try asking your administrator to make you the Project Owner?
Understanding roles
This should fix your issue and solve your case. In case it doesn't, let me know if you are facing the same error.
Please, let me know if it worked!
If you are using target HTTP Method in your Cloud Scheduler, you can add Auth Header (Add OAuth token) with a particular or spesific service account.
I am trying to write a query that pulls from federated tables in BQ. In BQ I can run the query and get results. However, when I run the same query in Domo, I get the error: Domo is ready, but received a Access Denied: BigQuery BigQuery: No OAuth token with Google Drive scope was found..Please contact the data provider for support.
I have read all over the place that I need to change the scope to do this. I am not a developer though, so I am not sure exactly how to go about this in BQ.
Does anyone have step by step instructions for how to do this?
Thanks!
When you created federated table you grant access of account that run query on the file in e.g. Google Drive.
So when you run query in BQ Console - it used your credentials.
When you run from domo - it may use different account (probably some service account) - so to have everything work you should grant proper access (essentially share document with this account) to your drive file to this account.
The issue seems similar to another post, but It's different for me. Because I check the testIamPermission, and the returns showed that I got all permission I needed and still receive insufficient permission.
This is what I received:
{'storage.buckets.get' : true}
{'storage.buckets.getIamPolicy' : true}
{'storage.objects.create' : true}
{'storage.objects.delete' : true}
{'storage.objects.get' : true}
{'storage.objects.getIamPolicy' : true}
{'storage.objects.list' : true}
{'storage.objects.setIamPolicy' : true}
{'storage.objects.update' : true}
The code I used to test:
googleBucket.iam.testPermissions([testPermissions], function(err, permissions) {
if(!err)
console.log(permissions);
})
Permission I missed:
'storage.buckets.create',
'storage.buckets.delete',
'storage.buckets.list',
'storage.buckets.setIamPolicy',
'storage.buckets.update',
It's really confused that I got all permission on create objects, but still throw an insufficient permission. What I used for api is just uploading a file on bucket. Is there any permission I missed? (Server is located at Google Compute Engine, on the same project of Google Cloud Storage)
it would be rather interesting which user runs the script.
because, it seems that the user/service which runs the script only has the viewer, but not the editor role. check in the IAM, if you have the proper roles assigned to the proper service-account. you also might need to login to that GCE instance with cloud shell and add those service-account credentials. in cloud shell, there is a tiny "upload" button top-right, which can be used to upload the credentials json file into the VM. the documentation also explains this, step by step.
I have found the answer precisely. There is an option, called Identity and API Access, in Create a new instance page. Just Switch from Default to whatever access option(do config properly, tho), and the problem sloved!
For the answer provided by Martin Zeitler, It's not what GCE works on running the script, GCE automatically connect Its email to another API as Editor permission, and no need to Hook any json to Instance that established on GCE. As I mentioned that Server is located at Google Compute Engine, on the same project of Google Cloud Storage.
However, Documentation Link is fairly helpful, Thanks Martin Zeitler, give you an upvote for quick answer :)
The Service account of your Google Cloud Compute Engine instance should match the one being used to access the Google Cloud Storage Bucket.
If it doesn't match, stop the instance, change the service account by selecting the correct service account from the drop box (Service accounts linked to only current project would be visible in the dropdown list).
Also, make sure that the selected Service account has correct Google Cloud Storage access.
I have setup a private cloud which has 2 computes and the back end is working successfully. OpenStack and Horizon is used to create and manage instances.
Basically, Horizon would be used on an administrator level and not by the user. So for the user to enter inputs like RAM, Disk Storage, Image etc, i want to create a frontend (ReactJS, NodeJS) website though which they can provide the details for VM creation.
The flow would be:
User provides all details through an HTML form.
Those details go to the Administrator sitting who will check the details and then approve the request.
Once the request is approved, VM is created and user can manage the VM.
I want to achieve somewhat like the above.
The goal is to not allow access for the user to create, manage VM instances through horizon.
Any help ?
EDITS
The flow should be the following :
Login to the front end user dashboard.
Allow user to create a flavor by accepting the values.
Store the values into MySQL DB.
Admin would get the request inn his login. An 'Accept' and 'Decline' button would be there on each flavor entry. If admin accepts, using shelljs the openstack flavor creation command is run and the output is saved in db.
The user could get the accepted flavor on his side.
The user would create a VM instance by selecting the flavor which he recieved above.
Using openstack create server command, the VM would be created and a token url would be generated which will be displayed to the user.
8.When user clicks on the url, VM is launched.
So the above is the goal to be achieved using React, NodeJS and MySQL.
The difficult parts would be:-
Running the openstack cli commands using shelljs
Generating a token url.
I hope there might be a way to do this.
Thanks
Not sure how to help you on this. Some ideas:
You will need a python backend unless you want your backend to talk to the OpenStack REST API directly. Similarly to Horizon, using the Django Python web framework will save you some time with using the python client APIs
Then you can build a frontend app with ReactJS and BackboneJS. Since ReactJS itself will not let you communicate with the HTTP Response generated by your backend. Also, you should look into Redux to deal with the data flow.
Here is an open source project which does what you want mostly: https://github.com/cyverse/atmosphere/
HTH