There are two accounts. One is for transit gateway and another is for vpc. There is a transit gateway in account A, and in account B there is a vpc and transit gateway attachment that is associated to the transit gateway in account A through Resource Access Manager. Even if the transit gateway attachment in account B has a tag, the transit gateway attachment that is shown in account A doesn't have a tag. How can I apply a tag to the transit gateway attachment in account A by CDK in Typescript? In account A, only id of the transit gateway attachment is known thus the following occurs an error.
cdk.Tags.of(attachment_id).add('Name', 'tgw-test');
-> TypeError: Cannot read property 'Symbol(cdk-aspects)' of undefined
I know nothing about typescript, but using the AWS console it is possible to manually add tags to the Transit Gateway Attachment in Account A.
The way I usually do this is to note the TGWA id in Account B, then switch roles to Account A and apply the tag to the matching TGWA id.
Looking at this answer it appears typescript allows one to assume other cross-account roles from within the script.
You could follow the same pattern as the manual workaround, i.e. obtain the TGWA id in account B, assume a role in account A, then apply the tag to the TGWA resource in Account A that matches the stored id from Account B.
Related
Currently, I'm following this doc to use Oauth to copy data from Rest connector. I applied the suggested temple ,when I configure this web activity, as for the body content, it show I should provide below parameters. I wonder where to get this parameters?
screenshot2:
These are app registration ID and password.
You need to register an app in Azure AD.
Below MSFT docs provides details about the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Here, you have to create a service principle in the Azure Active directory :
First you have to register the App under the blade of AAD > App registrations > New Registrations.
Once you register the App you have to then Assign a role under the Subscription Blade> selecting the subscription proceeding with Access Control(IAM)
Then you have copy the tenant ID and app ID under the AAD> App registrations> Your App
As there are two options for authentication one for uploading certificate and other for New Application Secret: Go with the 2nd one
Then you have to set the client secret for the New client. here is the Microsoft Document: Option 2: Create a new application secret
I'm building my first Slack bot and I've got the basics mostly working... sending API requests, receiving commands and events, etc. But the part I'm left a bit confused about is what I'm supposed to do with the "Bot User OAuth Access Token".
The token appears to be shared across teams/workspaces, but it is returned to be during authentication of individual users with a call to /oauth.v2.access. Currently I'm storing the returned credentials payload in a table that has three columns:
My app's internal user ID
The Slack user ID embedded in the payload as authed_user.id
The entire JSON payload itself (jsonb in postgres if you're curious)
This allows me to initiate new API calls for actions that take place in my app (find by internal user ID) and also for interactions within Slack (find by Slack user ID).
What has left me a bit puzzled is what the convention is for when a user interacts with my bot that hasn't added my app. This can happen when a person ("Jose") adds my app and then their colleague ("Mary") discovers it in Slack and views the home screen, sends it a message, etc.
In order to take some action, such as prompt for the user to install my app, I need a token. Of course I have a token for Jose but not for Mary. I also have Jose's team ID stored in my table and Mary's team ID as part of the incoming event. So technically I could do something like this to get a working token to interact with Mary:
select credential_json from slack_credentials
where credential_json->>'type' = 'bot' and credential_json->'team'->>'id' = :marysTeamId
... which would pull out the bot token I captured when Jose added the app. This works, but it feels very wrong. I suppose if I just stored bot tokens in a separate table that looked like this:
The Slack team ID embedded in the payload as team.id
A subset of the JSON payload (ex: access_token, scope, bot_user_id, etc but not authed_user)
Then it wouldn't feel so yucky. But the docs + API ergonomics don't suggest this is a common approach either. So I'm curious what others do. If I don't hear anything back, I suppose my plan is to break out the bot tokens into a team-centric table.
Thanks!
The basic concept of Slack apps is that they are installed per workspace, not per user.
So while it's true that the app's token is derived from the user who installed your app to a new workspace, most the apps function are available to all users of the workspace.
e.g. slash commands will work for every user in every channel
e.g. posts of your app will be visible to all users of the related channel.
Therefore the best approach for storing tokens usually is with a primary key of Slack Team ID, Slack User ID.
And just to clarify. You do not need a token to prompt a user to install you app. Every app can be installed from webpage hosted by you (with the "Add to Slack button") or directly from the App Directory.
I have followed the documentation for creating a G Suite Service Account. The following works fine to emulate a given user in my domain:
def create_directory_service(user_email):
credentials = ServiceAccountCredentials.from_json_keyfile_name(
SERVICE_ACCOUNT_FILE_PATH,
scopes = SCOPES)
credentials = credentials.create_delegated(user_email)
return build('admin', 'directory_v1', credentials=credentials)
However, I want to be able to just use the service account to access domain information without needing to emulate a particular user. But if I pass in the service account's email address (as given in its key file), I just get HttpError 503: "Service unavailable. Please try again".
I've added the service account's email address as a Service Account Admin, but it still doesn't work. Again, delegation works fine, but not using the service account directly.
Does anyone know what I'm missing?
To use Directory API, you must use delegation to impersonate a user in the domain, that can use Directory API (so usually an admin).
I created a composer supply chain application and whenever I run it using admin card on REST server and generated angular app with yeoman, I am accessing the network as admin user with the access to all the functionalities (creating users, assets or triggering all transactions).
How can I access the network as one of the participant with the permissions that I defined in the .acl file?
First you should issue a new identity for the participant. This can be done using either the API, the command line, or by using ID cards in the Hyperledger Composer Playground.
See: https://hyperledger.github.io/composer/latest/managing/identity-issue
Then you should bind the identity created to be used by the participant to interact with the business network in the context of that participant.
See: https://hyperledger.github.io/composer/latest/managing/identity-bind
You can also enable the authentication to the rest server and then create and bind the cards for the authenticated user: https://hyperledger.github.io/composer/latest/integrating/enabling-rest-authentication
If you want to test it more easily and quickly you can do it via Hyperledger Composer Playground: click on the button on the top right (where you see 'admin') and then on ID registry. From this page you can now create and manage new identities.
I am using the Google API to create a spreadsheet on google drive.
My app has a link that says 'Download To Google Doc'
The app sends a file to google docs and shares it with the user.
The user can then see it in google docs.
This all works good.
The problem is the identity of the service account sharing the doc.
It is a generated id. I want it to be branded to my app.
Is this possible?
-
You can't change the service account email address, nor can you supply a real world user name to it. The service account email address is created by Google in the Google Developer console.
The only way to change the email address would be to delete it and create a new one but again you would be stuck with the one Google Created. I suspect that the client id and email address are a pair used for identification of your application. Similar to client id and client secret, but I cant verify that.
I do see your point it would be nice if we could.
Google Service Accounts do allow you to impersonate an existing user account (for some services). I haven't tested it on Google Drive, but I have used it with the Webmaster tools API. The instructions can be found here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount
To sum them up, when creating the service account credentials you can specify the "sub" parameter with "The email address of the user for which the application is requesting delegated access." The account you're requesting access for must exist and have permission to access to the services you're requesting.
In the link above Google provides examples for Java, Python and HTTP/REST, here's the Python example:
credentials = SignedJwtAssertionCredentials(client_email, private_key,
'https://www.googleapis.com/auth/sqlservice.admin',
sub='user#example.org')
I'm using the Ruby google-api-client gem (0.9.pre3) and the ServiceAccountCredentials constructor does not pass the 'sub' parameter to its parent class so it has to be specified in another step:
client = Google::Auth::ServiceAccountCredentials.new(json_key_io: json_key_io, scope: scope)
client.update!(sub: 'user#example.org')
client.fetch_access_token!
service = Google::Apis::WebmastersV3::WebmastersService.new
service.authorization = client
Using this code I can authenticate using my service account and I have access to the sites