If i have many devices, and cognito accounts to use the topics of devices with the m-device to n-cognito-account.
The limitation of policy have the max policy document size and maximum number of policies that can be attached.
For example:
There has 2 device and 2 user
For current, design :
Device policy -> data/${clinet_id}
Cognito users both need attach policy -> data/${device_clinet_id1} and data/${device_clinet_id2}
(Policy has limitation which didn't work when number of device is too large.)
Is there something method that i can use refs array variable of policy from cognito such as iot things attrs with array type or refs from other storage service.
Related
I'd like to create network policies in snowflake with this design
A user called loader can access with some unique 5 IPs
A user called transformer can access with some other unique 5 IPs
All other users can access on any IP - i.e. no network policy
From the docs on snowflake and the approach, it seems I can only add an account-level policy, which is then used inside for users specifically as needed
Can I create directly user-level network policies only for 1, 2 and leave out 3 in some way?
Please check the following page:
https://docs.snowflake.com/en/user-guide/network-policies.html#managing-user-level-network-policies
To activate a network policy for an individual user, set the NETWORK_POLICY parameter for the user using ALTER USER.
https://docs.snowflake.com/en/sql-reference/parameters.html#label-network-policy
I've got server sites set up on GCS but currently they are getting the "Not Secure" badge when someone browses them. I'd like to set them up with a load balancer and google managed certificates so they don't get flagged by the browser. Here is the structure of the sites (not the real domains or hosts):
flintstones.com
www.flintstones.com (alias for flintstones.com)
fred.flintstones.com (completely separate site - currently in it's own storage bucket)
barney.flintstones.com (completely separate site in it's own storage bucket)
Can I have just one load balancer for all of these or do I need a separate LB or each? I know I can put all of these on one google-managed certificate but I'm not sure it's a good idea. I tried that and the cert was forever in "PROVISIONING" status. If I put them in one certificate do they all need to have the A record point to the load balancer before the cert will be provisioned? Long and short, is that I can never seem to get a cert that isn't in "PROVISIONING" status.
Thanks for your help!
Can I have just one load balancer for all of these or do I need a separate LB or each?
Yes, you can have one LB, with one IP address, and each domain configured to point to that IP address (by CNAME or A/AAAA record). The URL Map for the LB should then dispatch different paths to different backend buckets with host rules.
I know I can put all of these on one google-managed certificate but I'm not sure it's a good idea.
This is up to you, both can work. Some factors to consider:
There is a limit of 100 domains on each SSL certificate
There is a limit of 15 certificates on each targetHTTPSProxy
If you use one certificate with multiple domains, a user visiting one of those domains can get a list of other domains on the certificate. If you use separate certificates, that is not the case.
It is a simpler config to have one certificate
Separate certificates is safer/easier if you need to change domains frequently.
If I put them in one certificate do they all need to have the A record point to the load balancer before the cert will be provisioned?
Google will only provision a certificate if the domains requested point to your Load Balancer. So you do need to set up the DNS records for all the domains.
I'd like to share individual s3 folders between groups of cognito users, identifying with assume_role_with_web_identity, e.g.
group A: Device 1, Device 2
group B: Device 4, Device5, Device 10, ..., Device 23
group A has a shared folder: mybucket/groupA/*, and cannot access group B's folder.
group B has a shared folder: mybycket/groupB/*, and cannot access group A's folder.
We can expect 1000 groups.
As far as I can see from examples on the web, it is only possible to specify device-only ID's in a shared policy, using something like this:
"Resource": [
"arn:aws:s3:::my-bucket/${cognito-identity.amazonaws.com:sub}/*"
]
But I am at a loss for how to grant access to groups of devices with a shared policy. Please help.
NB! Amazon has a role limit at 250 roles per account, so I cannot create a role per group.
Amazon Cognito does not support groups. Cognito credentials can not be used to access another identity or groups assets at this time. Cognito credentials can either be used to access the identity's assets or global assets.
This blog post shows examples of using conditional policies to give additional users access, but unfortunately this would not scale to 1000s of groups.
I'd like to dynamically generate service accounts/clients and there is a possibility that I would generate a lot of them. Is there a maximum number of client ids / service accounts that a google cloud platform project can have?
I know this is too late but came across this FAQ in Google cloud docs which answers this question as follows:
You can create 100 service accounts in a project. Contact your account manager
if you need to create more than 100 service accounts in a project.
I don't know of a limit on the number of service accounts, but there is a limit to the number of refresh tokens for a given service account:
There is a limit to the total number of refresh tokens that your service account can have at any one point in time. Currently, this limit is 600. If this limit is reached, Google Compute Engine will not be able to create an instance which requires a new refresh token, and you will get a SERVICE_ACCOUNT_TOO_MANY_TOKENS error. For example, if you have reached the refresh token limit, and you attempt to create an instance with a new, unique set {default, scope1, scope2, scope3, scope4), the action fails and you will receive the SERVICE_ACCOUNT_TOO_MANY_TOKENS error.
There is a limit on the number of service accounts per project.
However, you could increase this limit through the quota page.
In your project's quota page edit the following to increase limit on the number of service accounts per project.
'Quota type': All quotas
'Service' : Identity and Access Management (IAM) API
'Metric' : Service Account Count
I'd like to direct traffic to different versions of Google App Engine code based on a set list of known IP Addresses.
For example, if an incoming request is from an IP Address on a given list, then traffic is directed to version 1. If not, then version 2.
Is there a way to do this from the admin console or deployment configuration?
The end goal is to grant access to extra features when the site is accessed from an approved IP Address. If I can't do this from the admin console, then I plan to get the IP Address during the user's login process, and set their security role based on IP.
There's not a way within the admin console or deployment process. However, if you do cookie-based traffic splitting, you can set the cookie yourself (based on the incoming IP address, or another value you desire). The value is stored in GOOGAPPUID and the value you'd want to use is described in the documentation, and varies depending on the number of versions you're splitting between and the respective levels of traffic you'd like to send to each version.
If you don't want to do traffic splitting for users not on a given list of IPs, you should make sure to explicitly set the cookie for all users. Otherwise, App Engine will provide the value (and send some users to both versions) by default.