I am using CognitoCachingCredentialsProvider to initialise an AWSKMSClient in my android application to get the temporary credentials for authorizing encrypt() operation and ListKeys() of the AWS KMS service. In my IAM role policy, I have specified the authorization to encrypt operation on a specific KeyID and ListKeys operation on all resources. Still I am getting an Access Denied Exception with the error that
assumed-role/Cognito_usernameUnauth_Role/CognitoIdentityCredentials is not authorized
to perform the operation ListKeys on resource *.
(Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID 123456788)
I have run simulation on IAM role Cognito_usernameUnAuthRole and that says that ListKeys operation is allowed.
I am unable to understand why is this happening ? Here is the IAM Policy attached to my role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListAliases",
"mobileanalytics:PutEvents",
"apigateway:POST",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "kms:Encrypt",
"Resource": "arn:aws:kms:region:1234:key/123456789”
}
]
}
Related
I'm trying to implement AWS sign in with web UI on my app, followed the documentation and it's working fine but I can't redirect back to my app after sign in.
In my amplifyconfiguration.json :
"Auth": {
"Default": {
"OAuth": {
"WebDomain": "xxxxxxxxxxxx",
"AppClientId": "xxxxxxxxxxxxx",
"SignInRedirectURI": "http://localhost:3000/",
"SignOutRedirectURI": "http://localhost:3000/",
"responseType": "code",
"Scopes": [
"phone",
"email",
"openid",
"profile",
"aws.cognito.signin.user.admin"
]
},
"authenticationFlowType": "USER_SRP_AUTH"
}
}
When I change "SignInRedirectURI": "http://localhost:3000/" to "SignInRedirectURI": "myapp//" instead of the login page it shows this error:
Am I missing something?
You have to pull the amplify auth again or make changes in your awsconfiguration.json and amplifyconfiguration.json file to change the redirect URL.
I'm using following flutter library for Okta integration
https://github.com/sonikro/flutter-okta-sdk
Code is of course, same for Android and iOS App but the JWT token generated for Android and iOS app is having different information when decoded.
Because of this difference token generated by iOS App is getting authenticated by backend server but token generated by Android app is getting rejected as invalid token. This is probably because backend code is configured for "aud" as api://default
Token generated by iOS looks like below. It contains "iss" ending with oauth2/default and aud as api://default.
{
"ver": 1,
"jti": "AT.Mbk7V5Sp1hNRzpHA4JKBoF9dniS4AO_WBPSUgNqJ4Pk",
"iss": "https://org-dev.oktapreview.com/oauth2/default",
"aud": "api://default",
"iat": 1650342083,
"exp": 1650345683,
"cid": "0otyt767ytytE41d7",
"uid": "00iuererere77def1d7",
"scp": [
"email",
"openid",
"profile"
],
"auth_time": 1650342081,
"sub": "abhishek.lastname#org.com"
}
But in case of Android, "iss" is just "https://org-dev.oktapreview.com" and aud is also "https://org-dev.oktapreview.com"
{
"ver": 1,
"jti": "AT.VMgUDc-wJnEXTx4n5I-QyKTI0yMGTqBWw8HA9FE6EPY",
"iss": "https://org-dev.oktapreview.com",
"aud": "https://org-dev.oktapreview.com",
"sub": "abhishek.lastname#org.com",
"iat": 1649419357,
"exp": 1649422957,
"cid": "0otyt767ytytE41d7",
"uid": "00iuererere77def1d7",
"scp": [
"openid",
"profile",
"email"
],
"auth_time": 1649419354
}
Please suggest if something we should do on our code or in flutter okta sdk or backend code
I am new to YouTube APIs. I have done create and fetch live events on YouTube. But I'm trying to start live events from my app I'm getting this error:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
POST https://www.googleapis.com/youtube/v3/liveBroadcasts/transition?broadcastStatus=live&id=m0BCwKmG9Ws&key=AIzaSyCRiIM7Tdb_rqFcGSbQ0jXy0GeODCNSq4g&part=status
{
"code": 403,
"errors": [
{
"domain": "youtube.liveBroadcast",
"message": "Stream is inactive",
"reason": "errorStreamInactive",
"extendedHelp": "https://developers.google.com/youtube/v3/live/docs/liveBroadcasts/transition"
}
],
"message": "Stream is inactive"
}
Code for go-live
fun startEvent(youtube: YouTube, broadcastId: String?) {
val transitionRequest = youtube.liveBroadcasts().transition(
"live", broadcastId, "status"
)
transitionRequest.key = context.getString(R.string.api_key)
transitionRequest.execute()
}
I also tried this but still getting the same issue.
I don't know what's wrong with it?
As per the official specification of the LiveBroadcasts.transition API endpoint:
Before calling this method, you should confirm that the value of the status.streamStatus property for the stream bound to your broadcast is active.
The error specification reads as follows:
forbidden (403) errorStreamInactive
The requested transition is not allowed when the stream that is bound to the broadcast is inactive.
Hence, unequivocally, your live stream that's bound to your live broadcast must be active prior to invoking LiveBroadcasts.transition.
This error will be resolved by enabling autostart while creating a live event
val contentDetails = LiveBroadcastContentDetails()
contentDetails.set("enableAutoStart", true)
I am creating an android application which connects to AWS IoT using Amazon Cognito authentication. I am able to authenticate user successfully and I am able get the credentials.
While updating the thing shadow using these credentials always return 403 Forbidden Exception. I have tried all my ways to troubleshoot the issue but I found no solutions.
My IAM Policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:GetThingShadow",
"iot:UpdateThingShadow",
],
"Resource": [
"arn:aws:iot:us-west-2:<my_account>:thing/mythingname"
]
}
]
}
Android code for connecting endpoint:
userSession= AppHelper.getCurrSession();
credentialsProvider=new CognitoCachingCredentialsProvider(getApplicationContext(),POOL_ID,REGIONS);
Map<String,String> logins=new HashMap<String, String>();
logins.put("cognito-idp.us-west-2.amazonaws.com/user_pool_id",userSession.getIdToken().getJWTToken());
credentialsProvider.setLogins(logins);
iotDataClient=new AWSIotDataClient(credentialsProvider);
iotDataClient.setEndpoint(ENDPOINT);
Updating thing shadow:
UpdateThingShadowRequest request=new UpdateThingShadowRequest();
request.setThingName(thingName);
ByteBuffer payloadBuffer=ByteBuffer.wrap(updateState.getBytes());
request.setPayload(payloadBuffer);
UpdateThingShadowResult result=iotDataClient.updateThingShadow(request);
Any help with this regard would be appreciated.
I had the same issue as you. I've found a solution.
That 403 status code mean that you need authorization.
If you read this documentation (near the end) : Publish/Subscribe Policy Exemple it's stated that you need 2 policies to make it work with Authenticated Cognito User. One for the Cognito Identity Pool and another for the Cognito User.
It's not possible to attach a policy to a cognito user with the UI, but you can do it through the CLI.
The command to attach a policy to a cognito user is :
aws iot attach-principal-policy --principal "cognito user id" --policy-Name "policy name"
You can find your cognito user id in :
Cognito > Manager Federated Identities > choose your identity pool > identity browser > and find your identity ID
I use this policy for testing purpose.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:*"
],
"Resource": [
"*"
]
}
]
}
To make it reusable, you need to use a lambda function (here in JavaScript).
var AWS = require('aws-sdk');
var iot = new AWS.Iot();
exports.handler = function(event, context, cb) {
var params = {
policyName: 'your policy',
principal: 'your cognito id'
};
var out = iot.attachPrincipalPolicy(params, function(err, data) {
if (err) cb(err);
else cb(null, data);
});
};
I am able to identify the issue. In my case, I was missing to set region for AWS iot client.
Region region = Region.getRegion(MY_REGION);
mIotAndroidClient.setRegion(region); // I was missing this piece of code
I am trying to use the Google Health API with a REST API. I am aware there is an API available for Android but I am trying to port that behavior to a back end.
I am playing around in the Oauth playground; I am trying to get a aggregated query. I've tried many things but none of them return anything (only get errors) There is no example featured on the google website itself. Anyone has experience with this API?
I have found a few examples here on stackoverflow but none of them conclude with a solution or a full query that can fit as an example.
Here and Here
If I just could get a working aggregate example I would work from there.
Here is my request to https://www.googleapis.com/fitness/v1/users/me/dataset:aggregate:
{
"startTimeMillis": 1451647796000,
"endTimeMillis": 1458127796000,
"aggregateBy": [
{
"dataTypeName": "com.google.height"
}
],"bucketByTime": {
"period": {
"type": "day",
"value": 1,
"timeZoneId": "org.joda.timezone.DateTimeZone"
}
}
}
Response:
{
"error": {
"code": 400,
"message": "Bad Request",
"errors": [
{
"domain": "global",
"message": "Bad Request",
"reason": "invalidArgument"
}
]
}
}
You forgotten "durationMillis" field on "bucketByTime" and "dataSourceId" on "aggregateBy".
Timezone syntax is like "America/Los_Angeles" not "org.joda.timezone.DateTimeZone". You can see this strings on http://joda-time.sourceforge.net/timezones.html