AWS DynamoDB permissions - getting error when user queries database - ios

I am using Amazon Web Services to provide my users access my DynamoDB table. I am using Cognito for log in, and it seems to work. I have create the database and the policy to query my database. I have the code in the app, I have a user group, I have the database (write to it fine), I have the policy written. AWS is still giving me an access error.
Any idea where I am going wrong?

You need to go to the IAM console and attach appropriate policies for doing operations like getItem on your table. You need to attach a policy for the unauth / auth role created by Cognito Identity Pool. For a similar working app, you can use AWS Mobile Hub which will create policies for you and give a sample app which demonstrates using the queries on a table.
Thanks,
Rohan

Here's what I would recommend to do to fix the problem:
First in the Overview tab of your DynamoDB table, copy the Amazon Resource Name (ARN) it should look something like:
arn:aws:dynamodb:us-west-2:227509******:table/TableName
After that go to your IAM console and click on Roles off to the left. Once in the Roles section click on the UnAuth_Role for the app associated with your table. Should look like:
Cognito_AppNameUnauth_Role
Once here, click on Create Role Policy - then select Custom Policy - then click Select.
Create a name for your policy
Copy this code but edit it with your ARN:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
],
"Resource": [
"arn:aws:dynamodb:us-west-2:227509******:table/TableName",
"arn:aws:dynamodb:us-west-2:227509******:table/TableName/index/*"
]
}
]
}
Add more permissions if you need to like :
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem"
I can't guarantee that will fix the problem. But it's a start in the right direction.

I've been struggling with the same issue. I have successfully authenticated via Cognito UserPool, verified policy was set up, ran into error code 6 as you did above. Found that if I changed user table permissions from "Private" to "Public", although not desirable, allowed me to read/write from table.
DynamoDB Table Permissions
The "Condition" clause below is added when you select "Private" instead of "Public" through the console. I can't find clear documentation on what this means / how to satisfy the condition it's asking for. (If someone understands better feel free to help edit this response!)
"Effect":"Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:ListTables",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:...:table/...",
...
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]
}
}

Related

Change Eve Python DOMAIN collection schema dynamically during runtime

I am using the Eve Python API Framework for MongoDB. I am writing a feature that allows my users to edit metadata sections for the documents that they are writing.
Example JSON:
{
"metadata": {
"document_type": ["story"],
"keywords": ["fantasy", "thriller"]
}
}
We have a CMS for the document editor that admins can use to allow them to do things like add new metadata fields for the authors (normal users) to add more information about their posts. For example, the site admin may want to add a field called "additional_authors" which is a list of strings. If they add this section to the frontend we would like some way to add it to the Eve Schema on the backend in real time without restarting the server. It is very important that it be real time and not part of a coding change in Eve or requiring Eve to restart.
Our current hard-coded metadata schema looks like this for the document collection:
{
"metadata": {
"type": "dict",
"schema": {
"document_type": {"type": "list", "required": True},
"keywords": {"type": "list", "required": True}
}
}
}
I understand that we can go with a non-strict approach when writing the "metadata" type dict so that it does not care what is inside but from my understanding this means we would not be able to use "projection" properly meaning that if I only wanted to return "metadata.additional_authors" of all documents through my API call, I would not be able to do so. Also, this would mean that we would have to deal with the required check ourselves using hooks instead of the built-in Eve schema check.
Is there anyway around this issue by essentially having a dynamic schema based on a MongoDB document that we can store the entire collection configuration dict in and retrieve it without restarting the server for it to take effect? Even if this means adding a hook to the new schema_dict collection and calling some internal Eve function I am all ears.
Thank you ahead of time for your help.

Is it possible to set permissions on variable groups via the REST API?

I was curious if anyone knows how to set permissions (add/remove groups) to variable groups via the REST API. I know there is the security namespace, however it requires a resource guid and I am not sure how to get that for a specific variable group?
You want security namespace "Library" ( you need to convert it to proper namespace_id ) and with token "Library/$project_id/VariableGroup/$variable_group_id"
POST https://dev.azure.com/{organization}/_apis/accesscontrollists/{securityNamespaceId}?api-version=5.1
For ACL management REST API see https://learn.microsoft.com/en-us/rest/api/azure/devops/security/access%20control%20lists/set%20access%20control%20lists?view=azure-devops-rest-5.1
Example request:
"value": [
{
"inheritPermissions": true,
"token": "Library/$project_id/VariableGroup/$variable_group_id",
"acesDictionary": {
"Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1": {
"descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
"allow": 31,
"deny": 0
}
}
}
]
Warning1 - At the moment the Microsoft doc on that topic is quite incomplete ( see, for example my comment on github issue asking for clarification of variables groups authentication mechanism ).
Warning2 - Be careful with ACL changing requests for ALL variable groups in project ( e.g. token=Library/$project_id/ ), because you might end up with removing permissions from all users on your Ado project and it's could be hard to change it back.
I am afraid it is not possible to set variable groups permission via api.
There is only group id we can get from variable group api below, no resource id in the response.
https://dev.azure.com/{organization}/{project}/_apis/distributedtask/variablegroups?api-version=5.1-preview.1
When i tried fetching the http request trace with F12 chrome. There is a value at the end of request url looks like the source id. And it is the project id combined with the variable group id. Donot know if this is resource guid you were looking for.
https://dev.azure.com//_apis/securityroles/scopes/distributedtask.variablegroup/roleassignments/resources/39e13f04-cb4e-4fa8-b2f1-0ee8f4fc82c5%241
I managed to reverse engineer who to do this. If anyone is curious on how it works feel free to talk a look at the powershell library for Azure DevOps I have put together -- https://github.com/ravensorb/Posh-AzureDevOps

Strapi routes return 404 Not found

I have a problem where all routes in my API return 404 Not found. I followed the Pull from Docker Hub section at strapi/strapi-docker.
What I did, apart from running the images, was creating a new Content type called post containing three fields. If I try GET /post (to get all posts added) I get unauthorized response error. This is expected at this stage. After I check Roles & Permissions to allow the Public role to use the find and findOne routes I instead get a 404 Not found response error even though data has been added.
The dev server does not use any prefix.
post routes for find and findOne looks as the following:
{
"routes": [
{
"method": "GET",
"path": "/post",
"handler": "Post.find",
"config": {
"policies": []
}
},
{
"method": "GET",
"path": "/post/:_id",
"handler": "Post.findOne",
"config": {
"policies": []
}
}
}
There are not many options in the strapi interface to fiddle with so I'm not sure what else to try. I have tried a couple of other installations of strapi. Not sure if that could have messed it up but I vaguely remember trying out strapi/strapi-docker before and getting it to work.
I have stumbled upon this issue many times, and the easiest answer usually is:
Have you published any of your posts?
Strapi has a publishing subsystem which is usually turned on upon the creation of any collection, single type or component.
So when you create any content of any created type, the data is saved as draft and is not publicly available.
Here is my link collection type. It is saved, but not published.
So if you are trying to test an endpoint, but you only have one single data entry and it is set to draft, no data will show up.
No data!
In case of a single type that is not published
This will return a 404!
Publish and, voila ...
This could be one reason why strapi is sending you a 404 or only an empty array!
I've had this issue many times as well, even with published content.
Two additional causes could be:
if your content type is posts try /posts as well as /api/posts (the 2nd usually works for me
Under Settings > Roles (the one under USERS & PERMISSIONS plugins) make sure both Authenticated and Public user roles have find and findOne access to the content type.
One time I was getting the 404 even though I did this for Public...but because I was in the same browser as my logged in admin and needed to update it for Authenticated as well.

Alexa Smart Home Skills IoT Alexa.PlaybackController

I have an IoT device that needs to support various operations, one of which is next from the Alexa.PlaybackController. My device is a multimedia device and requires many of the other Controllers as well. I'm including the Alexa.PlaybackController in the discovery response for my devices like so:
{
"type": "AlexaInterface",
"interface": "Alexa.PlaybackController",
"version": "3",
"supportedOperations": ["Next"],
}
I've also tried:
{
"type": "AlexaInterface",
"interface": "Alexa.PlaybackController",
"version": "3",
"properties": {
"supported": [
{"name": "next"}
]
},
}
but neither work. I get a schema error on CloudWatch:
is not valid under any of the given schemas
Looking below at the schema, I see that PlaybackController indeed is not included inside the schema. However, all of the documentation makes it seem like this should be trivial. I'm wondering if I need to include something else to indicate that playback is something that I need.
Is PlaybackController special in some way and unable to be included in combination with other Controllers? I've tried googling about this schema error but it's too vague and nothing's coming up.
Any help would be much appreciated!
__
EDIT:
I see now that video devices seem to get a different set of available Controllers, but there is still reference to using PlaybackController in a lot of places around the regular Smart Home Skill for entertainment devices. Really hope that it's possible!
So should have probably figure this out sooner. I'm using the python validation class provided by Amazon. Turns out that the schema from the same repo simply doesn't include any reference to Alexa.PlaybackController. Therefore, the validation fails every time with the error about mismatching schemas. Maybe they've added some controllers recently and forgot to update the schema.
I submitted an issue to the Smart Home repo here: https://github.com/alexa/alexa-smarthome/issues/62

Basic AWS IAM permissions for an S3 bucket

I'm trying to figure out a basic permission set for an IAM user/key to have to have access to only a single bucket in S3 - only read/write access on an individual bucket.
What set of permissions is the minimum required to make this work? I have all options selected in the IAM policy generator for S3, all permissions enabled on the bucket except CreateBucket and DeleteBucket. I've also created a set of keys specific to this user.
When I try to access the bucket with these credentials, I get a problem listing buckets, even though the ListAllMyBuckets property is enabled.
Anyone have any experience setting up a basic bucket config like this? Seems like it would be pretty common...
The Example Policies for Amazon S3 cover various use cases similar or related to yours - specifically you might probably want to combine Example 1: Allow each user to have a home directory in Amazon S3 with Example 2: Allow a user to list only the objects in his or her home directory in the corporate bucket - you'd just need to adjust the Resource to target your buckets root directory instead, i.e. replace /home/bob/*with *.
Please note that Example 2 facilitates ListBucket, which is an operation on a bucket that returns information about some of the items in the bucket, whereas ListAllMyBuckets is an operation on the service that returns a list of all buckets owned by the sender of the request, so likely not applicable to your use case (see my comment regarding clarification of the latter).
This will permit to list all buckets assuming you are not denying it somewhere else (I am 99% sure deny statements are evaluated first; order does not matter with IAM policies):
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
Permit whatever you want for your buckets (Don't forget the /* also):
{
"Effect": "Allow",
"Action": [
"s3:<Put your actions here; cherry pick from the AWS documentation>"
],
"Resource": [
"arn:aws:s3:::<Bucket name here>",
"arn:aws:s3:::<Bucket name here>/*"
]
}

Resources