I was trying to Build a fact skill as per instructions given in https://github.com/alexa/skill-sample-nodejs-fact.
Cloned repository, initialized the ASK CLI and installed npm dependencies.
Then I tried to deploy the skill and the lambda function in one step by running the command ask deploy. But it shows AccessDeniedException. Please help me to resolve the issue
-------------------- Create Skill Project --------------------
Profile for the deployment: [default] Skill Id: amzn1.ask.skill.1234ab-1234
Skill deployment finished. Model deployment finished. Create Lambda error. AccessDeniedException: User: arn:aws:iam::12345678:user/ASK_CLI_USER is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:us-east-1:12345678:function:what_name_you_want_to_name_the_lambda
Please Note:
Installed and set up ASK CLI following instructions in the below link:
https://developer.amazon.com/docs/smapi/quick-start-alexa-skills-kit-command-line-interface.html
Set Up Credentials for an Amazon Web Services (AWS) Account CLI following instructions in the below link:
https://developer.amazon.com/docs/smapi/set-up-credentials-for-an-amazon-web-services-account.html
Created a user ASK_CLI_USER and created a new policy with the permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:PassRole"
],
"Resource": "arn:aws:iam:::role/ask-"
},
{
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:UpdateFunctionCode",
"lambda:ListFunctions"
],
"Resource": "arn:aws:lambda:::function:ask-"
},
{
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents",
"logs:getLogEvents",
"logs:describeLogStreams"
],
"Resource": "arn:aws:logs:::log-group:/aws/lambda/ask-"
}
]
}
The resource you should be restricting to is "arn:aws:lambda:*:*:function:ask-*". It looks like you're missing the asterisks.
It says pretty clear:
AccessDeniedException: User: arn:aws:iam::12345
678:user/ASK_CLI_USER is not authorized to perform:
lambda:CreateFunction on resource:
arn:aws:lambda:us-east-1:12345678:function:what_name_you_want_to_name_the_lambda
Go into your console and add proper permissions to user ASK_CLI_USER
Related
I followed the instruction from this website to add the authentication with Identity Server. The configuration is quite simple
proxy:
title: Open Analytics Shiny Proxy
port: 8080
authentication: openid
openid:
auth-url: https://identityserverurl/connect/authorize
token-url: https://identityserverurl/connect/token
jwks-url: https://identityserverurl/.well-known/openid-configuration/jwks
logout-url: https://identityserverurl/Account/Logout?return=http://yourshinyproxy:8080/
client-id: ShinyProxy
client-secret: secret
scopes: [ "openid", "profile", "roles" ]
username-attribute: aud
roles-claim: role
And the authentication seems working. When I add the access-groups to display only the app for a particular role, it doesn't work
specs:
- id: 01_hello
display-name: Hello Application
description: Application which demonstrates the basics of a Shiny app
container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
container-image: openanalytics/shinyproxy-demo
container-network: sp-example-net
access-groups: 200122-user
The same code is working with the version 2.4.3 of ShinyProxy.
Is there anything I missed for this configuration in the ShinyProxy 2.6.1?
Running an App Engine Java 8 app with Google Cloud Endpoints. I've generated the openapi.json, deployed it to my Endpoints Portal, and can see the API in my portal, with the various methods and resources listed correctly.
I'm running the dev app server locally in IntelliJ using the Cloud Code plugin. When I run it, it opens a browser tab that gives me an Error 403, with the following stack trace (abbreviated):
SEVERE: direct send of a check request service_name: "my-project-redacted.appspot.com"
operation {
operation_id: "11b8f9a6-c9cb-4895-95fb-8bb39176efb9"
operation_name: "1.my_project_dot_appspot_com.MyAPI"
consumer_id: "project:my-project"
start_time {
seconds: 1596075164
nanos: 812000000
}
end_time {
seconds: 1596075164
nanos: 812000000
}
labels {
key: "servicecontrol.googleapis.com/caller_ip"
value: "127.0.0.1"
}
labels {
key: "servicecontrol.googleapis.com/user_agent"
value: "ESP"
}
labels {
key: "servicecontrol.googleapis.com/service_agent"
value: "EF_JAVA/1.0.12"
}
}
failed
endpoints.repackaged.com.google.api.client.http.HttpResponseException: 403
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"errors": [
{
"message": "The caller does not have permission",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
at endpoints.repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.newExceptionOnError(AbstractGoogleClientRequest.java:456)
at endpoints.repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:321)
at endpoints.repackaged.com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1065)
at endpoints.repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
at endpoints.repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
at endpoints.repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
at com.google.api.control.Client.check(Client.java:205)
It's worth noting that the API seems to work -- I have the iOS simulator connecting to my local dev app server and making Endpoints calls. I'm just tired of seeing the 403 in my browser every time I start the dev app server, and fear it may portend some similar issue in production when I eventually push this new service.
This error indicates that there is something wrong with the permissions or that the Service Control API is disabled in your project, so in order to fix it you can:
Make sure your service has access to servicecontrol.googleapis.com enabled by running the following command on Cloud Shell:
gcloud services enable servicecontrol.googleapis.com
Double check ENDPOINTS_SERVICE_NAME parameter in your appengine-web.xml file, it should look like this:
<env-var name="ENDPOINTS_SERVICE_NAME" value="$PROJECT"/>
Check if OpenAPI specs are deployed to Cloud, you can check it by running this command on Cloud Shell:
gcloud endpoints configs list --service=$PROJECT
Double check if the Service account running your instance has the proper IAM roles.
We've got an application hosted on a VM in Azure, which is behind a WAF that we've got a lot of trouble with for some users.
Some users are plagued by the HTTP Error 400. The size of the request headers is too long. The application is protected by Azure AD login.
The full repsonse to the browser is:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
{
"data": "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\">\r\n<HTML><HEAD><TITLE>Bad Request</TITLE>\r\n<META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD>\r\n<BODY><h2>Bad Request - Request Too Long</h2>\r\n<hr><p>HTTP Error 400. The size of the request headers is too long.</p>\r\n</BODY></HTML>\r\n",
"status": 400,
"config": {
"method": "GET",
"transformRequest": [
null
],
"transformResponse": [
null
],
"url": "api/datacontext/workbooks/876dac86e00e42878d9e239a8efb00a3/session/start",
"headers": {
"Accept": "application/json, text/plain, */*",
"x-invision-app-language": "EN",
"Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyIsImtpZCI6ImFQY3R3X29kdlJPb0VOZzNWb09sSWgydGlFcyJ9.eyJhdWQiOiI2MGMyZDcwNi02M2JmLTRhYzItOGQyZi01M2QzMzM1ZTAwMDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80M2I0MWVlMy01MDllLTRmNDYtOTFmZi1hYWMxNGY5MjAwYTAvIiwiaWF0IjoxNTY5NTg0NTIyLCJuYmYiOjE1Njk1ODQ1MjIsImV4cCI6MTU2OTU4ODQyMiwiYWNyIjoiMSIsImFpbyI6IkFTUUEyLzhNQUFBQWtlMDNycUJycmJoZlNBdDB4SnY4bkF4RzA1V1VPdnd4SjZDUmdVeFdkeGc9IiwiYW1yIjpbInB3ZCJdLCJhcHBpZCI6IjYwYzJkNzA2LTYzYmYtNGFjMi04ZDJmLTUzZDMzMzVlMDAwMiIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiUmV0dmVkdCIsImdpdmVuX25hbWUiOiJFcmlrIiwiaXBhZGRyIjoiMTk0LjI0OC4xNDcuMTMiLCJuYW1lIjoiRXJpayBSZXR2ZWR0Iiwib2lkIjoiMGJjMDUyMDgtZDQ1YS00MTk4LTk3MzItMzZiN2U2MDJiYmYwIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTEzNDI3OTMzNzAtNDI1NDg1MTE1LTU5NDUyMDk5NS0xODU0Iiwic2NwIjoiRGlyZWN0b3J5LlJlYWQuQWxsIFVzZXIuUmVhZCBVc2VyLlJlYWQuQWxsIFVzZXIuUmVhZEJhc2ljLkFsbCIsInN1YiI6ImJ0M3pIOFNQcjRtMWFqenZJa2ZiMjBnVUZkR3BxblpEYmg3QWJ4M3B5N28iLCJ0aWQiOiI0M2I0MWVlMy01MDllLTRmNDYtOTFmZi1hYWMxNGY5MjAwYTAiLCJ1bmlxdWVfbmFtZSI6ImVyaWsucmV0dmVkdEBjaG9pY2Uubm8iLCJ1cG4iOiJlcmlrLnJldHZlZHRAY2hvaWNlLm5vIiwidXRpIjoiUERYS0FfSl9CRWlmc0tDLVJJbHhBQSIsInZlciI6IjEuMCJ9.aghrUBArpEvvvXBs2MBPTCL2nUPZ3aMCJ-1r3EqB5a9UaqaX7Ego5mSw1gb_68y3KhsGfO7kAv49uCB7cy80kEXV4ES4htLefQmmp-Bx-1Et_w6vstoki9ojWuKP97NsaGlQBjPYCZcbCRptBIZJIr_H71dMuFhAPWYEImcGtOrF2RNQA4AFvlx6WL2dIONHVPar3sjgLWEvFxhPFZsml3Ht3M1OtLj5drAJrkUjgxfV3-00bqCwYCm5_t_BAtxWsd-LZEpjDLpN7nDBFIJF14oFrPB7yXCBM_q-Y4FCCwGE14NoRcUrJNJPYMt5b0LKHEAbIopdq_zmFQ6XnUmcjg"
},
"withCredentials": true
},
"statusText": "Bad Request"
}
The error show up on different paths in the application and seemingly at random. It might work fine for a while then the user gets the error message again. We've narrowed the problem down to beeing the WAF as when we've changed the traffic to flow directly to the IIS webserver the users are seeing none of theese errors. It seems that there's nowhere to change the size limit for the request header that I can find in the WAF. Anyone got any idea as for where to start looking for a solution?
The Azure WAF is configured as follows:
Configure
Tier: WAF
Firewall Status: Enabled
Firewall mode: Detection
There are no exclusions configured.
Global Parameters:
Inspect request body: Off
Rules
Rule set: OWASP 3.0
Advanced rule configuration: Disabled
I'm trying to deploy my GAE application via termina with the following command: gcloud --project my-project-id --version staging app deploy
It gives me no errors, the only output I get is:
Google Cloud SDK 183.0.0
bq 2.0.27
core 2017.12.08
gsutil 4.28
But the deploy doesn't actually work (I changed some text on one of the API returns just to see if it was changing in the actual URL I access).
Any idea what's going on or how to debug it?
EDIT:
I managed to get an error now:
{
"error": {
"code": 403,
"message": "Operation not allowed",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ResourceInfo",
"resourceType": "gae.api",
"description": "The \"appengine.applications.get\" permission is required."
}
]
}
}
DEBUG: (gcloud.app.deploy) Permissions error fetching application
[apps/darwin-ms-transfer]. Please make sure you are using the correct
project ID and that you have permission to view applications on the
project.
And I did check the permissions, I do have the appengine.applications.get permission based on the service account's roles.
I am new to Keycloak. I have tried to get the user information using below code:
keycloakAuth.loadUserProfile().success(function(profile) {
debugger
console.log(profile);
}).error(function(res) {
debugger
console.log('Failed to load profile');
});
installation json is :
{
"realm": "CheckRealm",
"realm-public-key": "MIIBIjASDFJJK677132HJJAOCAQ8AMIIBCgKCAQEAgo4deAfr8BeqWOiCsddwMtH5nh8EK2cKIeInpt7LnoCyMsGj1HTP835HpslOURrR6Bgc42V7r6J/MIHqx3+KESTqpcQSe9ll6eUjzaMbIX2GPmy9OnviH6srUgOlDAKhL+/SDh/iv8RfErAPO9cxnoBWUUTyfyes1YRn34KILBdHZoaWk5mteJx9aV4bfA5tGTT6aF8o1NkCX1OUfXiaAD5sqKZV5vbI+QsOUsNshvGfE5JR2EpwZbWH/vRQVusxLURjC51v96ieQ8zUME5LwAQ0TgZcspHTb4Y+KuYRTuDQKuxRUYFeNbvqUGeT2s2sHMmWOQIDAQAB",
"auth-server-url": "https://something.com/auth",
"url": "https://something.com/auth",
"ssl-required": "external",
"resource": "sample-tracker",
"clientId": "sample-tracker",
"credentials": {
"secret": "bnmbsdk87wq"
}
}
I got the mentioned error :Failed to load resource: the server responded with a status of 403 (Forbidden)
To solve this situation you need to configure your keycloak or RedHat Single Sign-On (if you are using the supported version).
Open the keycloak admin console, for example: http://localhost:8180/auth/admin. Then click on Configure > clients and select the account client. The account client must be enabled.
Next, still in Configure > clients, select the client that you are trying to access and click on the scope tab. Add the view-profile role of account application.
The user also needs to have this permission.
There is a resolved issue about this in https://issues.jboss.org/browse/LIVEOAK-204 .