Is sagemaker:CreatePresignedDomainUrl required to open jupyter in SageMaker notebook instance? - amazon-sagemaker

I'm trying to avoid to use the managed policies AmazonSageMakerReadOnly and AmazonSageMakerFullAccess because I only want the users to be able to start/stop their own notebook instance and to open jupyter in their instance.
So far the user role has the following permissions among others
...
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sagemaker:StopNotebookInstance",
"sagemaker:StartNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/OwnerRole": "${aws:userid}"
}
}
},
The policy does not have sagemaker:CreatePresignedDomainUrl but it has sagemaker:CreatePresignedNotebookInstanceUrl, when the user with this policy click on Open Jupyter in the AWS Sagemaker console , it opens an url https://xxxxxx.notebook.eu-north-1.sagemaker.aws/auth?authToken=xxxxx but that url will return:
403 Forbidden. Access to xxxxxx.notebook.eu-north-1.sagemaker.aws was denied. You don't have authorisation to view this page. HTTP ERROR 403
As soon as I added sagemaker:CreatePresignedDomainUrl for resource * then the 403 error was gone and the user could open the jupyter notebook.
My question is why is that needed, and what resource should I put instead of *, the documentation mentions arn:aws:sagemaker:regionXXX:account-idXXX:app/domain-id/userProfileNameXXXX/* but I do not have any domain or user profile.

CreatePresignedDomainUrl statement allows the role to launch a SageMaker Studio app (and hence the domain-id/user-profile ARN). Opening SageMaker notebook instance does not need the presigned domain url permission.
You'll need to make sure you're tagging the notebook with an OwnerRole key, with value = userid (not username). In addition, you'll need to use the sagemaker:ResourceTag (instead of aws:ResourceTag).
See the service authorization page for a complete list of actions and condition keys.

Related

Microsoft Graph API - Upload large file - Azure AD App with Sites.selected permission

I have registered an application on our Azure AD, and granted it the Sites.Selected permission as well as granting it access to a specific Sharepoint site following this guide. (Sites.ReadWrite.All is not an option as it would give access to all sites)
https://ashiqf.com/2021/03/15/how-to-use-microsoft-graph-sharepoint-sites-selected-application-permission-in-a-azure-ad-application-for-more-granular-control/
Now I am trying to use Postman to send web requests to the Microsoft Graph API in order to upload large files so I want to use the createUploadSession endpoint.
https://graph.microsoft.com/v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/createUploadSession
But I get the error:
{
"error": {
"code": "notAllowed",
"message": "Operation not allowed",
"innerError": {
"date": "2022-02-04T14:04:37",
"request-id": "06e86b5b-6067-4d7b-9ce9-af41de95406f",
"client-request-id": "06e86b5b-6067-4d7b-9ce9-af41de95406f"
}
}
}
I know the authentication token I use is valid because a request to directly upload a file works fine and uploads the file.
https://graph.microsoft.com/v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/content
Any ideas for what could be wrong with my request to start an upload session?
I suppose that item_id is id of the destination folder but I'm not sure whether you can upload large this way
v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/createUploadSession
Try to specify the path to the file from the root
POST v1.0/sites/{{site_id}}/drive/items/root:/test.rtf:/createUploadSession
Also check whether the POST HTTP method is set.

Create Microsoft teams meeting through API

In Azure Active Directory I've registered a new app and given it the Read and create online meetings permissions. I've granted admin consent for the permission and now I'm trying to create a meeting through the command line.
I generated a client secret for the app.
Then I'm requesting a access token using my tenant GUID, client ID of the app and client secret I generated. This gives me back a jwt. When I decode the JWT amongst the roles I can see "OnlineMeetings.ReadWrite.All" which gives me hope that I can actually create meetings using this bearer token.
I then send a POST request to https://graph.microsoft.com/v1.0/users/<my-user-guid>/onlineMeetings
with the following body:
{
"startDateTime":"2021-03-16T14:33:30.8546353-07:00",
"endDateTime":"2021-03-16T15:03:30.8566356-07:00",
"subject":"Application Token Meeting",
"participants": {
"organizer": {
"identity": {
"user": {
"id": "<my-user-guid>"
}
}
}
}
}
and the response comes back with
"code": "Forbidden",
"message": "Application does not have permission to Create online meeting on behalf of this user.",
Am I missing something?
Edit:
As some of the comments have suggested I should create an application access policy. So I'm following the documentation which asks me to Connect using admin credentials
When i run Connect-MicrosoftTeams -Credential $userCredential with my account it fails with the following error:
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed
Connect-MicrosoftTeams: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: : Unknown error
But this is what is confusing me. I don't really know if I'm trying to login with the correct account. I'm using my personal account on azure which is (afaik) not a business account with skype for business.
I'm running the commands to log in on the azure portal's PowerShell interface. Am I supposed to run this on my local machine instead?
I think I'm not fully understanding what all of the moving parts are that need configuration.
Can I add those application Access Policies in the azure portal interface somewhere?
According to the api documentation, make sure you grant the OnlineMeetings.ReadWrite.All application permission to the application. Then you need to use the client credential flow to obtain an access token.
Please note that when you create an online meeting with an application token, administrators must create an application access policy and grant it to a user, authorizing the app configured in the policy to create an online meeting on behalf of that user (user ID specified in the request path).

Logic apps ARM deployment fails for API connections using OAuth that already exist and are connected

Recently I'm gettings errors when deploying logic apps using ARM templates. I get the errors for certain API connections that are used by the logic apps. The error I receive is:
Input parameters are invalid. See details for more information. Details:errorCode: ParameterNotDefined. Message: Parameter '$connectionCreator' is not allowed on the connection since it was not defined as a connection parameter when the API was registered.
I only get these errors for existing and authenticated connections of type dynamicscrmonline and azureeventgrid. As long as the connection doesn't exist or isn't yet authenticated, the deployment succeeds. It appears to be happening only with API connections that use OAuth. This used to work in the past and I'm not sure what changed.
This is an example of a connection that gives me the error:
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[parameters('dynamicscrmonline_1_Connection_Name')]",
"location": "westeurope",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', 'westeurope', '/managedApis/', 'dynamicscrmonline')]"
},
"displayName": "[parameters('dynamicscrmonline_1_Connection_DisplayName')]"
}
},
I had the same error with Azure AD API and send grid.
Try to delete the existing connections API associated to your existing Logic App and then redeploy.
It works for me.

Microsoft Graph, Registering a Schema Extension

I'm building an internal meeting room app that uses the Microsoft Graph API and I would like to extend Event objects with a Schema Extension.
Documentation:
API Reference
Tutorial Example
However when running a query to register a new schema extension, I am receiving this HTTP response:
{
"url": "https://graph.microsoft.com/beta/schemaExtensions",
"status": "403 Forbidden",
"headers": {
"request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"client-request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"North Europe\",\"Slice\":\"SliceA\",\"ScaleUnit\":\"001\",\"Host\":\"AGSFE_IN_2\",\"ADSiteName\":\"DUB\"}}",
"duration": "742.4624"
},
"body": {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"date": "2017-05-10T10:05:37"
}
}
}
}
I can confirm that my application has the prerequisite scope permission of Directory.AccessAsUser.All and it's also been more than 16 hours since adding this permission. I have also got verified domains, so the namespace should be OK per the documentation reference.
My API query in code:
Outlook.test({
version: 'beta',
resource: 'schemaExtensions',
method: 'POST',
body: {
id: 'thehivegroup_beethere',
description: 'Extension for event presence status',
targetTypes: [ 'Event' ],
properties: [
{ name: 'checkIn', type: 'String' },
{ name: 'checkOut', type: 'String' }
]
}
})
.then(result => console.log(result), err => console.error(err))
Which results in a POST with the JSON encoded in the body and headers with authorization token to the URL https://graph.microsoft.com/beta/schemaExtensions.
I have tried different IDs, such as beethere, which resulted in a namespace error, so I know this ought to be working fine.
There are no other scope permissions I am aware of that I need to enable here as well. The error is just too vague for me to figure out what privileges are insufficient here.
EDIT: Have manually run the query in the Graph Explorer as an Admin in the tenant, added the scope permissions required for the API and some extra ones in case, but the query for registration of Schema Extensions still does not work, with the same error message as the application receives. So it is definitely not a problem in my code, but the Microsoft Graph API. Is there a contact or way to ask microsoft to look into the issue?
Directory.AccessAsUser.All is a delegated permission only (it must be delegated because it grants access to directory based APIs as the signed-in user's access rights). It doesn't show up in the roles claim because it isn't an application permission.
As far as I know, right know, you cannot use the application flow (client credentials) to create a schema extension, and you need to use the "code authorization" flow. Please let us know if this is a requirement. Additionally we'd love to know if you want to see an experience for schema definition registration as part of the application registration...
Also you CANNOT currently create a schema extension definition (or manage it) through Graph Explorer. For you to created a definition, you must either be an admin or the owner of the app creating the extension definition AND the creation request must also come from that application (which cannot be graph explorer). We may look at relaxing this last constraint.
If you want to see a code snippet for this it's available here (although it's a UWP c# app, not JS): https://github.com/microsoftgraph/uwp-csharp-snippets-rest-sample.
Also schema extensions is now GA, and available in the v1.0 endpoint.
Hope this helps,
Graph Explorer is able to add an extension.
You will need to create an app in your tenant and set the owner in the payload to the client id of your app.
more on this
This schema extensions creating REST works well for me. Please ensure that the token contains Directory.AccessAsUser.All permission. You can parse the token check the scp claim in it from this site.

App Engine Admin API Error - The "appengine.applications.create" permission is required

We would like to automatically create a project ID and install our ULAPPH Cloud Desktop application using the App Engine Admin API (REST) and Golang.
https://cloud.google.com/appengine/docs/admin-api/?hl=en_US&_ga=1.265860687.1935695756.1490699302
https://ulapph-public-1.appspot.com/articles?TYPE=ARTICLE&DOC_ID=3&SID=TDSARTL-3
We were able to get a token but when we tried to create a project ID, we get the error below.
[Response OK] Successful connection to Appengine Admin API.
[Token] { "access_token" : "TOKEN_HERE", "expires_in" : 3599, "token_type" : "Bearer" }
[Response Code] 403
[Response Body] { "error": { "code": 403, "message": "Operation not allowed", "status": "PERMISSION_DENIED", "details": [ { "#type": "type.googleapis.com/google.rpc.ResourceInfo", "resourceType": "gae.api", "description": "The \"appengine.applications.create\" permission is required." } ] } }
We are just using the REST API calls. Request for token was successful as you can see above and the scope is ok as well. Now, when we posted the request to create application, we are having the error that says "appengine.application.create" permission required.
How do we specify the permission?
What are the possible reasons why we are getting that error? Do we missed to send a field in JSON or in query?
As per below link, we just need to pass the json containing the id and location. We also just need to pass the token in the Authorization header. The same logic I have used successfully in accessing Youtube, Drive APIs etc so not sure what needs to be done since I have followed the docs available.
I have also posted the same issue in Google Groups and now waiting for their reply.
It seems you've given no details about how you set up the account you're using to authorize the request. You'll need to make sure the appengine.applications.create permission is given to the account you're using, as mentioned in the error text. You can use the Google Identity and Access Management (IAM) API for this.
(by the way, I'd given this answer in the original thread, although you didn't reply or seem to take action on it. check it out! this is likely the solution you need!)

Resources