I’m trying to send an email through calling api from lambda function. Everything works fine locally but after deployment, am getting Access Denied error from SES.
You have to give AWS SES access to your Lambda existing role. Just go to
Execution Role
Existing Role
Click on View the on IAM console.
Attach Policies.
Find AWSSESFullAccess role and attach it.
Related
Currently i am trying integrate twilio with dialog flow by running in GCloud.
I am facing below error.
2021-02-01 12:12:58.223 HKT(node:14) UnhandledPromiseRejectionWarning: Error: 7 PERMISSION_DENIED: IAM permission 'dialogflow.sessions.detectIntent' on 'projects/sample1-ecji/agent' denied.
Already added Dialogflow Client API & Dialogflow Client Admin
Please advise
Issue resolved. I didn't use the correct service account .
Now it is working after using the correct service account.
I have created Azure App service, Bot Channels Registration, Resource group in Azure Portal and also have a LUIS app created.
I have a custom nodejs code that works perfectly in local using bot emulator.
However, when I upload it to the azure using git it is not working, getting error as "Error: Unauthorized. Invalid AppId passed on token:" in bot emulator, it is neither working in test in webchat getting error as "There was an error sending this message to your bot"
It seems like Appid and Password used in the code are just fine.
I have taken appid and pwd from configuration of my App service.
Message endpoint taken from settings of my Bot channels Registration
Are there any other things to be created for my BOT to work.
Kindly suggest
This is resolved after clearing the credentials in my systems credential manager :-)
I have been trying to create a connection with the gmail api. It worked when I followed this example: https://developers.google.com/gmail/api/quickstart/nodejs
The problem is, this requires the user to browse to a URL and then enter an authentication code in the CLI. This is possible on my local dev machine, but I don't see how this should be done when deployed on a production server, in a docker container. Additionally this method requires you to store a file in your project folder containing your credentials (sensitive data that I don't want to have in my Dockerfile obviously).
My second attempt was using JWT. I followed these steps Send mail via Google Apps Gmail using service account domain wide delegation in nodejs. This works until I actually try to retreive the email from the inbox. I get an error saying GaxiosError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.. I have created a service account with domain wide delegation so the account should be authorized to do anything.
Then I read this:
"Service accounts only work with GSuite because you have to be able to preauthorize the service account and grant it access to the users account. There is no way to preauthorize a normal user Gmail account. So no you cant use a service account with a normal users gmail account." source: Client is unauthorized to retrieve access tokens using this method Gmail API C#
I have also looked at using just an api key, but this option is not available for gmail.
How the hell am I supposed to authenticate from my container?
So it turns out the account I was using didn't have the correct rights. We did have a gsuite. Everything is working as expected now! :)
I want to set up a web service which will manage few resources on a user's behalf (on his own AWS account).
So basically, after a user logs in, he will provide my service with proper permission to access his account. I've noticed similar services (https://www.dashbird.io/), which instruct you on how to create a proper role, but I'm not sure on how to actually use the role. How to login on his behalf (there is no token nor password).
I'm using node.js, but other examples will help as well.
Thanks.
Your application will need valid credentials to access resources in your customer's AWS Account. Theses credentials can be provided in various ways, but they would most probably be either:
Credentials for an IAM User in your customer's account, or
An IAM Role in your customer's account, which they have configured to allow you to assume
IAM User
This is the simplest method. Your customer would create an IAM User and provide it with appropriate permissions. They would then supply your application with the Access Key and Secret Key associated with the User.
Your application would use those credentials when establishing a session with AWS services.
IAM Role
Your customer would create an IAM Role and provide it with appropriate permissions. Unlike an IAM User, an IAM Role does not have credentials. Rather, an AWS User assumes a Role. They are then provided with temporary credentials that can be used to use AWS services in that account.
Think of it like a Fire Warden -- if there is a fire in an office building, somebody temporarily assumes the role of Fire Warden, telling people what to do. When there's a fire, they have authority because they assumed the role. But when there's no fire, they have no authority to tell you what to do.
The customer would need to configure the Role to trust your Account, or a User in your account. They will then give you the ARN (Amazon Resource Name) of the Role. Your application then uses an IAM User in your own Account to call AssumeRole(). If that IAM User (or your whole account) is trusted, then you will receive back credentials for accessing your customer's account.
See:
Creating a Role to Delegate Permissions to an IAM User
AssumeRole
I'm working on a nodejs application on AWS for the first time and am still learning all the services. I'm working on my applications authentication and authorization and am at the point to create my user roles and groups. Is the AWS IAM service meant for both AWS management and for your application's user authorization or should I use one of nodejs's ACL modules and manage my roles and users outside of AWS IAM service?
Should you use AWS IAM roles and permission for application users?
No, you should not. AWS IAM roles and permission control AWS user/instance access to AWS services only via EC2 user profiles and instances. They are not intended to be used for specifying user authentication or roles in a proprietary application.
Should I use one of nodejs's ACL modules and manage my roles and users outside of AWS IAM service?
Yes, correct. Use native methods/libraries for managing application specific user authentication and roles in your app.
With the rise of API gateway and lambda, I'm wondering if this advice still holds true.
i have a very simple API in node, which is pretty much just ACL around storing a blob of JSON in mongo.
If i could model my permissions in IAM and use a lambda function for handling the mongo write/read, it would seem sensible to use IAM for my application user creds.
Possibly this is what Cognito was released to support? (although i haven't looked into this much)
AWS IAM users are used to share your Amazon services with someone (your team for example) without having to disclose your personal password.
One of the key advantages is being able to give admin access to any staff member without allowing it to access your credit card data.
If you need to create a simple authentication module for your application or website (a common case of system with username and password) then you can try using something like PassportJS