I am trying to configure SNS to automate Snowpipe using SQS notifications. As per the snowflake document, I am adding the below policy(mark in bold) to the existing SNS topic access policy. but it's not accepting. I am getting an error. Any clue what is wrong here?
(Couldn't set topic access policy.
Error code: InvalidParameter - Error message: An error occurred while setting the attribute access policy. Invalid parameter: Policy Error: null)
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
{
**"Sid":"1",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::1234567890:user/sns”-topic-iam-arn
},
"Action":[
"sns:Subscribe"
],
"Resource":[
"arn:aws:sns:us-east-1:9876543210:s3_bucket”
]**
},
"Action": "SNS:Publish",
"Resource": " "arn:aws:sns:us-east-1:9876543210:s3_bucket",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": “99988877760”
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:s3_bucket_name"
}
}
}
]
}
Please use this bucket policy and change the ARN of buckek and SNS
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "arn:aws:sns:us-east-1:721702575972:topic1",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "721702575972"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::mlpoiuy"
}
}
}]
}
Related
I'm trying to read a private audio file from the s3 bucket but it returns a URL that contains AccessDenied.
it works for public files but doesn't work for private files.
Putting file objects into the private directory is working as intended. key of the object.
private/us-east-1:9412b20a-ff34-4c7d-af47-5d7abf992468/BetterNotePrivate-424bbb39-eee2-4ac0-b46c-d338ec0be225
return await Storage.get(key, {
bucket,
region,
level: "private",
});
but reading the file from a private directory return "AccessDenied" (shown in pic).
Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3::: xxxxxxxxxxxxxxxxxxxxxxxxxxx-staging/public/*",
"arn:aws:s3::: xxxxxxxxxxxxxxxxxxxxxxxxxxx-staging/private/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
permission for guest and authenticated users.
{
"bucketName": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"selectedGuestPermissions": [
"s3:GetObject",
"s3:ListBucket"
],
"selectedAuthenticatedPermissions": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"unauthRoleName": {
"Ref": "UnauthRoleName"
},
"authRoleName": {
"Ref": "AuthRoleName"
},
"s3PrivatePolicy": "Private_policy_50639d04",
"s3ProtectedPolicy": "Protected_policy_50639d04",
"s3PublicPolicy": "Public_policy_50639d04",
"s3ReadPolicy": "read_policy_50639d04",
"s3UploadsPolicy": "Uploads_policy_50639d04",
"authPolicyName": "s3_amplify_50639d04",
"unauthPolicyName": "s3_amplify_50639d04",
"AuthenticatedAllowList": "ALLOW",
"GuestAllowList": "ALLOW",
"s3PermissionsAuthenticatedPrivate": "s3:PutObject,s3:GetObject,s3:DeleteObject",
"s3PermissionsAuthenticatedProtected": "s3:PutObject,s3:GetObject,s3:DeleteObject",
"s3PermissionsAuthenticatedPublic": "s3:PutObject,s3:GetObject,s3:DeleteObject",
"s3PermissionsAuthenticatedUploads": "s3:PutObject",
"s3PermissionsGuestPublic": "s3:GetObject",
"s3PermissionsGuestUploads": "DISALLOW"
}
Edit
The problem might lie in SSR. I was fetching the resource from s3 in SSR which return an AccessDenied URL.
So I move the response to useEffect and it's now working as intended.
Cannot authenticate user in MS Teams Bot.
Same works in "Test in webchat" properly:
Domain added to Teams manifest properly:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.15/MicrosoftTeams.schema.json",
"version": "1.0.0",
"manifestVersion": "1.15",
"id": "a0d93a07-2f63-4569-a651-cf3761859b28",
"packageName": "com.package.name",
"name": {
"short": "NewTest",
"full": ""
},
"developer": {
"name": "KUKA",
"mpnId": "",
"websiteUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_about.html",
"privacyUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_priv.html",
"termsOfUseUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_terms.html"
},
"description": {
"short": "CS Logistics TEST app",
"full": "test app for CS Logistics"
},
"icons": {
"outline": "outline.png",
"color": "color.png"
},
"accentColor": "#FFFFFF",
"staticTabs": [
{
"entityId": "conversations",
"scopes": [
"personal"
]
},
{
"entityId": "about",
"scopes": [
"personal"
]
}
],
"bots": [
{
"botId": "99e82921-96c9-4ec1-83ab-bd05382abc96",
"scopes": [
"personal"
],
"isNotificationOnly": false,
"supportsCalling": false,
"supportsVideo": false,
"supportsFiles": true
}
],
"validDomains": [
"token.botframework.com"
],
"webApplicationInfo": {
"id": "1e04e5cd-88e1-4522-984d-2bba5e2d37eb",
"resource": "https://graph.microsoft.com/"
}
}
Also recreated AppService, AzureBot in Azure, and setup new Teams app with new manifest version via Developer Portal.
Installed the Teams app directly just form myself, as a personal app.
App registration redirect URIs:
Also the app registration works fine for other chatbots in our domain. Why not for this one?
Actually the only thing that needed to be changed was to add this line of code to the error handler adapter to the bot code: base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"]));Add code to handle an access token.
And also to add method OnTeamsSigninVerifyStateAsync to Bot like in sso-quickstart sample.
I am making a chatbot in react application. I have used react-lex-plus npm package.
In the LexChat component, I have entered my bot alias. I have created a new identity pool id.
But after running it locally, I am getting
AccessDeniedException: User: arn:aws:sts::myAccountId:assumed-role/Cognito_LiveAssistanceBotIdUnauth_Role/CognitoIdentityCredentials is not authorized to perform: lex:PostText on resource: arn:aws:lex:us-east-1:myAccountIdbot:LiveAssistanceBot:$LATEST because no identity-based policy allows the lex:PostText action
I don't know where to update identity-based policy. I am also trying to setup resource-based policy for Lex Bot.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LiveAssitanceBotId",
"Effect": "Allow",
"Principal": {
"Service": [
"cognito-identity.amazonaws.com"
]
},
"Action": [
"lex:RecognizeText",
"lex:StartConversation"
],
"Resource": [
"arn:aws:lex:us-east-1:myAccountID_:bot-alias/1AUEAAP4MW/9F7RMYLBSU"
],
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "myAccountId_"
},
"ArnEquals": {
"AWS:SourceArn": "arn:aws:cognito-identity:us-east-1:myAccountId_:identitypool/us-east-1:d4a81595-0381-4fbb-ab20-9b76e4143ca1"
}
}
}
]
}
after which I am getting Internal Error while creating the policy.
You need to add the lex:PostText capability to the Action section of your policy.
Below is an extract from one of my existing permission policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lex:PostContent",
"lex:PostText",
"lex:PutSession",
"lex:GetSession",
"lex:DeleteSession",
"lex:RecognizeText",
"lex:RecognizeUtterance",
"lex:StartConversation"
],
"Resource": "*"
}
]
}
I referred to this documentation to make a POST request.
Below is the error while making a POST request to create a conditional access policy
{
"message": "There was an internal server error while processing the request. Error ID: 2dbb1530-4ce6-44f5-9c63-08de28d7218a",
"innerError": {
"request-id": "2dbb1530-4ce6-44f5-9c63-08de28d7218a"
}
}
Payload being passed with the request is below:
{
"displayName": "Test Policy",
"state": "enabled",
"conditions": {
"clientAppTypes": ["modern", "browser"],
"applications": {
"includeApplications": ["None"]
},
"users": {
"includeUsers": [
"08290005-23ba-46b4-a377-b381d651a2fb"
]
},
"locations": {
"includeLocations": ["All"],
"excludeLocations": ["AllTrusted"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["approvedApplication"]
}
}
I've tried using this endpoint to get a policy:
https://graph.microsoft.com/beta/{tenant_id}/conditionalAccess/policies
Which successfully returns an existing policy. However, the above POST request is not working.
The "approvedApplication" requirement only supports the iOS and Android for device platform condition. See details here.
You need to add "includePlatforms" iOS and android into the json body.
{
"displayName": "Test Policy",
"state": "enabled",
"conditions": {
"clientAppTypes": ["modern", "browser"],
"applications": {
"includeApplications": ["None"]
},
"users": {
"includeUsers": [
"08290005-23ba-46b4-a377-b381d651a2fb"
]
},
"platforms": {
"includePlatforms": [
"iOS", "android"
]
},
"locations": {
"includeLocations": ["All"],
"excludeLocations": ["AllTrusted"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["approvedApplication"]
}
}
I am working on setting up my site authentication settings to use the AAD provider. Most of the template is respected. However, the unauthenticatedClientAction and allowedAudiences is not being properly assigned. I observe 'allow anonymous' and no 'allowed audiences' being assigned.
Please note that I was working with the ARM Template API 2018-02-01. This problem may still exist due to the documentation, if you provide an answer, please note the ARM Template version it addresses.
Additionally, create an issue for the ARM documentation team to correct any issues.
Here is my template segment for these settings. It is nested under resources in my website template.
root > Microsoft.Web/Site > Resources
{
"type": "config",
"name": "web",
"apiVersion": "2016-08-01",
"location": "[parameters('app-location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('web-site-name'))]"
],
"properties": {
"siteAuthEnabled": true,
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
Template Validates
Deployment does not output any errors
Issues:
unauthenticatedClientAction is assigned allow anonymous not RedirectToLoginPage
allowedAudiences is not assigned any sites
What could be causing these issues? What could I have missed?
I got my answer after working with the fine people at Azure Support.
Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.
This sub-resource is no longer a valid solution, while the endpoint may still recognize some of its fields, this is deprecated.
The new solution is to add the siteAuthSettings object to the main 'Microsoft.Web/site' properties and the siteAuthEnabled is no longer needed as siteAuthSettings.enable duplicates this functionality.
Updated ARM Template (removed other settings for brevity)
{
"name": "[variables('app-service-name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('app-location')]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[variables('app-plan-name')]"
],
"properties": {
//... other app service settings
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
As suggested by #Michael, the siteAuthSettings object must be added to the siteConfig object, not just under the root properties object.
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServiceName'))]"
],
"properties": {
...
"siteConfig": {
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('clientId')]",
"issuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/')]"
}
}
}
}
The other solutions given only apply when using the classic authentication experience (Authentication (Classic)). If you would like to use the new authentication experience, use below configuration:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "config",
"apiVersion": "2020-12-01",
"name": "authsettingsV2",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webAppName'))]"
],
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"identityProviders": {
"azureActiveDirectory": {
"isAutoProvisioned": false,
"registration": {
"clientId": "[parameters('clientId')]",
"clientSecret": "[variables('clientSecret')]",
"openIdIssuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/v2.0')]"
},
"validation": {
"allowedAudiences": [
"https://management.core.windows.net/"
]
}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"allowedExternalRedirectUrls": [],
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"globalValidation": {
"redirectToProvider": "azureactivedirectory",
"unauthenticatedClientAction": "RedirectToLoginPage"
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
]
}