What is the best way to upload from AngularJS to S3 without passing the access key or secret down to the client? I have a friend who is trying to accomplish this by creating a pre-signed URL on the server (NodeJS & Express) and then sending the URL to the client for upload. He's claiming it's failing due to CORS but he CAN upload using the sdk from the same AngularJS app & browser.
Update for Clarity
The tricky part is they cannot store anything in an environment variable AND each bucket has different credentials. They're storing info on 10-20 buckets / regions / IAM users and need the end user to select the bucket BY NAME on the client. This means they cannot store anything globally. The server must be able to generate something for the client to use per each request.
His original question:
Generate S3 Put URL Per Request
You can do that by using an IAM Instance Profile for your ec2 server. That way you don't have to provide your access & secret key, because any call done via the AWS SDK will be authenticated via the instance profile permissions. Either of this, in order! authenticate aws api calls:
In system environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
In the Java system properties: aws.accessKeyId and aws.secretKey.
In the default credentials file (the location of this file
varies by platform).
In the instance profile credentials, which exist within the instance metadata associated with the IAM role for the EC2 instance.
Note the instance profile creds are checked last!
More info here
Related
I'm having the most bizarre problem, which I thought would be quite simple to fix. I helped a client set up a connection to the Amazon Selling Partner API by creating a private app in Seller Central:
Settings > User Permissions > Visit Developer Credentials
New app client
Get LWA credentials (client secret and client id)
Self authorize the app to obtain a refresh token
I've been using this successfully to pull Amazon SP API data for this client, but now the client wants to ensure we don't keep having access to their data and would like to either remove the app and create a new one or at least invalidate existing refresh tokens and/or client secrets and generate new ones. It's quite easy to create a new refresh token, but this doesn't invalidate the existing ones.
I've tried everything, including unticking all the boxes that grant you access to various scopes and putting in a random IAM ARN, but you have to leave at least one box ticked and the ARN has to match an existing one. Getting a non-technical client to create a new IAM ARN just for this doesn't make us look great, and I'm sure there has to be a way to revoke those credentials - what would happen if they became compromised for some reason?
My App engine is running in project-1. I want to access the BQ present in project-2. How can i make app engine in project-1 access the BQ present in project-2?
You should request "can view" (or "can edit") permissions on the dataset of your interest. Owner of project-2 (or respective dataset) will be able to do so.
You don't need to be present on project level and in some cases it is not even appropriate - but you must have appropriate permissions on dataset level
If, by chance, you are the owner of project-2 or respective dataset - you can easily do this by following below instructions
https://cloud.google.com/bigquery/bigquery-web-ui#sharedataset
The easiest way to accomplish this is to add the default service account of "project-1" to the permissions list of "project-2":
within the cloud console go to the permissions section of project-1
select the service accounts sub tab
look for the default service account (or create a new one)
add the service account to the permissions of project-2
EDIT
You need to create your client in a fashion that uses the applications default service account. For example if you're using python it would look something like:
# Grab the application's default credentials from the environment.
credentials = GoogleCredentials.get_application_default()
# Construct the service object for interacting with the BigQuery API.
bigquery_service = build('bigquery', 'v2', credentials=credentials)
Now with your PK file you can launch the dev appserver in a fashion that the same client client will work correctly: Unable to access BigQuery from local App Engine development server
I'd like to give to each of my customers access to their own bucket under my GCS enabled app.
I also need to make sure that a user's bucket is safe from other users' actions.
Last but not least, the customer will be a client application, so the whole process needs to be done transparently without asking the user to login.
If I apply an ACL on each bucket, granting access only to the user I want, can I create an API key only for that bucket and hand that API key to the client app to perform GCS API calls?
Unfortunately you only have two good options here:
Have a service which authenticates the individial app according to whatever scheme you like (some installation license, a random GUID assigned at creation time, whatever) and vends GCS signed URLs, which the end user could then use for a single operation, like uploading an object or listing a bucket's content. The downside here is that all requests must involve your service. All resources would belong entirely to your application.
Abandon the "without asking the user to login" requirement and require a single Google login at install time.
I have created Web Tab in salesforce with url of my application. When someone opens that tab and my application gets call, How can I make sure where user who opened it is authorized?
I know I can pass {!User.Email} and other variables to my app to identify user. I guess some sites also send {!Api.SessionId} but I can not find any information about how to authorize using Api.SessionId or any other variables that can be passed.
Update
I found https://developer.salesforce.com/page/Single_Sign_On_for_Composite_Apps which is guide to the question I asked. But not able to find jar for given java classes.
You can use the API SessionID and ServerURL to make a request back to Salesforce via the API. Say with the PartnerAPI. This will confirm that the user did indeed come from a valid Salesforce session. You can confirm other details, such as their email address from the active session as well.
Alternatively, you could create a newer connected app using signed requests. Here the request posted to you app will be signed with using a secret that you can decrypt. This ensures the details haven't been faked or tampered with.
Rather than creating a Composite App you can create a Canvas App. This is a type of Connected App. You can find instructions for setting this up at Creating a Connected App. The Signed Request is POSTed to your web app. See Signed Request Authentication
I am writing an travel itinerary app engine application which will interact with the calendars of my users. In order to manage access to my user's calendar I intend to use OAuth 2.0. I looked online for various code examples and the closest to what I am trying to acheive is (http://code.google.com/p/google-api-java-client/source/browse/calendar-appengine-sample/src/main/java/com/google/api/services/samples/calendar/appengine/server/?repo=samples). I have the following questions
1) I find that the server needs access to the application's client id and client secrets. Most of the sample code I have seen so far loads this from a local file. Does AppEngine give some API which will enable me to retrieve the client id and client secret without me having to worry about storing it ?
2) If I have to store the client secret in a secure fashion what are my options ?
3) What is the best way to store a user's access token and refresh token ?
It almost never changes, so hardcode it. It's only really loaded from a file in the sample programs so that you can get the samples running without touching the code.
See 1.
You can use the Google provided Credential class which uses a dedicated kind. Or, given that they are simply strings, you can store them as part of the User kind which your app almost certainly has to track your registered users.
As a tip, separate writing your oauth code from writing your calendar code. I would start by writing an app that only authorises, stores the refresh token, and refreshes the access token. You can test your access token using curl. Once you have that all working, then add your Calendar functionality as phase 2.