I cannot push my Amplify backend after performing amplify add api for REST APIs. I get the following IAM error in the CLI during the "Creating API models..." stage:
User: arn:aws:iam::xxxxxxxxxxxx:user/tb2-amplify is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-1::/restapis/xxxxxxxxxx/stages/dev/sdks/android because no identity-based policy allows the apigateway:GET action
All I need is a public GET method to read an item from a DynamoDB table. My desired pipeline is android -> Amplify.API.get() -> Lambda Function -> DynamoDB. I have followed every guide available in the Amplify Docs (Libraries/Guides), re-initialized Amplify in the project with API being the only resource, tried to manually add API to the amplifyconfiguration.json file. I am stumped.
Is my desired pipeline the problem? Is there configuring I need to perform before amplify push? Does anyone know why my configured IAM is not authorized to do this, even though the permission has been granted?
UPDATE
Granting my IAM user full administrator access allows me to amplify push the backend. I am now getting build errors like:
package com.amazonaws.mobileconnectors.apigateway.annotation does not exist
package com.amazonaws.mobileconnectors.apigateway does not exist
These errors appear 6 times in a generated package called tb2api.TbapiClient.Java
Looking into this now. (looked, just needed to add implementation 'com.amazonaws:aws-android-sdk-apigateway-core:<version>' to gradle.
It appears that the user that the amplify build is using does not have permission for apigateway:GET.
Head over to the tb2-amplify user in IAM and look at the "Permissions policies". You should have a Policy name AdministratorAccess-Amplify of type AWS managed. That policy as most of the permissions you need for Amplify projects.
If the user doesn't have that policy, add it, or add the individual permissions needed as you encounter them.
This policy should get you to your next error:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action":
[
"apigateway:DELETE",
"apigateway:GET",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT"
],
"Resource": "*"
}
]
}
EDIT
Another Amplify user reported an issue that seems the same or extremely similar to what you're experiencing. Try giving your tb2-amplify user full permissions and see if that clears up the issue. If it does, you've narrowed this down. Remove the 'full permissions' after deploying and add to the bug description.
EDIT 2
If giving the user full access works, then maybe narrow it to just the permissions I put above or the managed policy AmazonAPIGatewayAdministrator. Those don't have the 'conditional' statement which may make a difference.
I also strongly recommend visiting the Amplify Discord channel. It's very active.
Related
I am trying to set up the Flutter sign_in_with_apple package but run into problems with the android side.
What I have done so far, following the package README to the letter:
Set up the glitch.me server. The server is up and listening at https://MYSERVER.glitch.me/callbacks/sign_in_with_apple I've added a bit of console logging to make sure I know when the server is hit.
Set up appid and serviceid on the apple developer console. Service identifier is com.company.foobar.dev.signin
Added the glitch callback https://MYSERVER.glitch.me/callbacks/sign_in_with_apple as the return url on the service configuration.
Copied the activity block from the readme into my android manifest. NOTE: I didn't know what to set the name. Leave it referring to the package or change it to my app id? It's currently android:name="com.aboutyou.dart_packages.sign_in_with_apple.SignInWithAppleCallback"
Add this block to my flutter service:
"https://MYSERVER.glitch.me/callbacks/sign_in_with_apple";
final appleIdCredential = await SignInWithApple.getAppleIDCredential(
scopes: [
AppleIDAuthorizationScopes.email,
AppleIDAuthorizationScopes.fullName,
],
webAuthenticationOptions: WebAuthenticationOptions(
clientId: "com.company.foobar.dev.signin",
redirectUri: Uri.parse(redirectURL)));
Unfortunately, the call to SignInWithApple.getAppleIDCredential in step 5 throws an exception and I am seeing invalid_request invalid web redirect url. The glitch server is never even hit, which makes me think that even if I messed up at Step 4 (the intent name in the android manifest) the problem is more likely in the apple developer console setup. However, I am pretty sure I've followed the README and I am running out of ideas.
Hmmm, I threw away the apple developer console service setup for the dev package (with applicationIdSuffix '.dev' and bundleid 'com.company.foobar.dev') and set up the same for the production flavor. This one works as expected.
I am now wondering if apple doesn't even redirect the request to the glitch server for android unless the package has as playstore presence. Comments?
I have integrated firebase authentication with email in my android app. I have two domain url prefix in dynamic links section. By default, firebase always sends link with first domain url prefix. I tried setting domain url prefix in code by this method -
actionCodeSettings.setDynamicLinkDomain(getString(R.string.dynamic_link_url))
but it gives error of The provided dynamic link domain is not configured or authorized for the current project Please advice correct way of acheiving this. Thanks in advance.
if you added a new URL prefix different from the first one you need to manually update Firebase hosting release history
you can do it by using firebase CLI
make sure firebase cli is installed
firebase login and select your project
run firebase init
make sure during project initialization, from the Firebase CLI
prompts:to select to set up Hosting and Functions
Hosting: Configure files for Firebase Hosting and (optionally) set up GitHub Action deploys
continue with the default option
once setup is completed it will generate public folder contained index.html 404.html, .firebaserc and firebase.json
then modify the firebase.json and add the following
{
"hosting": {
"public": "public",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"appAssociation": "AUTO",
"rewrites": [ { "source": "/links/**", "dynamicLinks": true }, { "source": "/share/**", "dynamicLinks": true } ]
}
}
enter code here
firebase deploy
please note that links and share are our 2 prefix you can change name to any you want and also note this prefix can be used by different subdomains as well
I'd doing basically the same as in the question, but just in Flutter setting the dynamicLinkDomain property in the ActionCodeSettings using the EmailLinkProvider
eg.
dynamicLinkDomain: 'mysuperapp.page.link',
and it seems to work fine.
I did NOT have to do anything with Firebase CLI updating the hosting history as was suggested in the answer from #fadi-abo-msalam
Given that Flutter would be using the same underlying Android Firebase SDK, perhaps this has been fixed since this question was first asked and it now works for native Android apps as well.
Problem: Firebase Management API method projects.addFirebase returns status code 403
Steps to recreate:
In an Android application I need to create separate Firebase Accounts for Realtime Database. For this purpose I authenticate users with GoogleSignIn.
Then I retrieve token with proper scope "oauth2:https://www.googleapis.com/auth/cloud-platform".
In next step I use GCP Resource Manager API to create a new GCP project, which will be a container for Firebase project.
The new project is created successfully on each of the test accounts.
When I try to call Firebase Management API method projects.addFirebase using the same token I got earlier (same scope) I get error "The caller does not have permission". This error occurs on 3 out of 4 accounts I have tried.
I was able to reproduce same error also using google-apis-explorer. Apis Explorer
I will be grateful for any hints on how to resolve this issue. As I mentioned earlier this error does not occur on one of the accounts I tested, while on the remaining three it happens every time.
Thank you.
Update
#Doug thank you for taking time to look at my problem. It seems that I have found the cause. After accessing https://console.firebase.google.com and clicking "Add a project" a following popup showed up (I can't paste it directly, because my reputation is too low):
Popup link
After I checked all consents and added first project I am also able to make api calls successfully.
It looks like I my question should be: Is there a way to grant required permissions through Resource Manager Api calls so I can add Firebase to existing Cloud Project?
Also for the reference I paste the method I use to call projects.addFirebase, it uses RxJava2 (Android) and Retrofit2.
#Headers({"Content-Type: application/json"})
#POST("projects/{project}:addFirebase")
Single<Operation> addFirebaseToProject(#Header("Authorization") String bearerToken,
#Path("project") String project,
#Body FirebaseDataModel dataModel
);
Thank you for your help.
Ps. sorry for my bad English, it's not my mother tongue.
I made an android app that uses the aws cognito sdk to login to a user pool. This returns the 3 tokens (id, access, refresh) and I can then call my api gateway. This all works, no problems. However, when I am debugging the app I can't see the call that my app makes to cognito to get these tokens. I have tried adding the verbose logging as per https://docs.aws.amazon.com/mobileanalytics/latest/ug/sdk-logging.html but that hasn't worked. There are 5 endpoints described in the docs https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html but none of them seem to take in the username/password.
SDK uses Apache Commons Logging library(JCL) if it is present in the classpath else it uses android.util.Log.
Using JCL: JCL is a wrapper for popular logging APIs such as Log4J, logback etc. If your app does not take a dependency on any of these, common logging library defaults to java.util.logging package present in JDK. Configuration of the behavior of the JCL ultimately depends upon the logging toolkit(log4j, logback etc.) being used. Please refer the documentation for the chosen logging system to adjust the log level. If you are defaulting to java.util.logging package, you can change log level as follows :
Add logging.properties file to res/raw and add following to onCreate of the MainActivity
logger = Logger.getLogger(PubSubActivity.class.getName());
InputStream raw = getResources().openRawResource(R.raw.logging);
LogManager lManager = LogManager.getLogManager();
lManager.readConfiguration(raw);
Using Android Log : There is no way to change log level for entire SDK in this case. However as a workaround to change log levels for debugging purposes you can change it for a specific tag with the following command:
adb shell setprop log.tag.<YOUR_LOG_TAG> <LEVEL>
I am trying to run the AWS android samples from the following git repo:
https://github.com/awslabs/aws-sdk-android-samples
I am receiving the following error message:
Unauthenticated access is not supported. (Service:
AmazonCognitoIdentityService; Status Code: 400; Error Code:
NotAuthorizedException; Request ID:
75be66eb-11b6-11e4-85d9-9933082e5eb2)
I have configured the AWS services as per the steps mentioned in the git repo
url: https://github.com/awslabs/aws-sdk-android-samples/blob/master/S3_TransferManager/README.md
I have included the following jars in libs:
aws-android-sdk-2.0.4-cognito.jar
aws-android-sdk-2.0.4-core.jar
aws-android-sdk-2.0.4-s3.jar
Also I have added the AWS_ACCOUNT_ID, COGNITO_POOL_ID and BUCKET_NAME. I was
not sure where to find the COGNITO_ROLE_UNAUTH so I left it at
YOUR_COGNITO_UNAUTH_ROLE.
Could anyone tell me what I am doing wrong here?
Sorry that you're having trouble with the sample. There are two things which I think might solve your problem.
First of all, did you enable unauthenticated access in your Congito identity pool? You can check by going to the Cognito console, going to Edit Identity Pool, and seeing if Enable access to Unauthenticated Identities is checked.
Secondly, you'll need to set COGNITO_ROLE_UNAUTH. To do this, you will first need to go to the IAM console and create a Role if you don't already have one. Then, click on the role in the IAM console and click Summary. The first thing under the Summary tab should be Role ARN. Replace YOUR_COGNITO_UNAUTH_ROLE with the value found there.
Hope that helps and I'll see if we can make the docs more clear. Sorry again for the trouble!